73 Amendments of Pascal ARIMONT related to 2020/0340(COD)
Amendment 54 #
Proposal for a regulation
Recital 3
Recital 3
(3) It is necessary to improve the conditions for data sharing in the internal market, by creating a harmonised framework for data exchanges. Sector- specific legislation can develop, adapt and propose new and complementary elements, depending on the specificities of the sector, such as the envisaged legislation on the European health data space25 and on access to vehicle data. Moreover, certain sectors of the economy are already regulated by sector-specific Union law that include rules relating to cross-border or Union wide sharing or access to data26 . This Regulation is therefore without prejudice to Regulation (EU) 2016/679 of the European Parliament and of the Council (27 ), and in particular the implementation of this Regulation shall not prevent cross border transfers of data in accordance with Chapter V of Regulation (EU) 2016/679 from taking place, Directive (EU) 2016/680 of the European Parliament and of the Council (28 ), Directive (EU) 2016/943 of the European Parliament and of the Council (29 ), Regulation (EU) 2018/1807 of the European Parliament and of the Council (30 ), Regulation (EC) No 223/2009 of the European Parliament and of the Council (31 ), Directive 2000/31/EC of the European Parliament and of the Council (32 ), Directive 2001/29/EC of the European Parliament and of the Council (33 ), Directive (EU) 2019/790 of the European Parliament and of the Council (34 ), Directive 2004/48/EC of the European Parliament and of the Council (35 ), Directive (EU) 2019/1024 of the European Parliament and of the Council (36 ), as well as Regulation 2018/858/EU of the European Parliament and of the Council (37 ), Directive 2010/40/EU of the European Parliament and of the Council (38 ) and Delegated Regulations adopted on its basis, and any other sector-specific Union legislation that organises the access to and re-use of data. This Regulation should be without prejudice to the access and use of data for the purpose of international cooperation in the context of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. A horizontal regime for the re-use of certain categories of protected data held by public sector bodies, the provision of data sharing services and of services based on data altruism in the Union should be established. Specific characteristics of different sectors may require the design of sectoral data-based systems, while building on the requirements of this Regulation. Where a sector-specific Union legal act requires public sector bodies, providers of data sharingintermediation services or registered entities providing data altruism services to comply with specific additional technical, administrative or organisational requirements, including through an authorisation or certification regime, those provisions of that sector-specific Union legal act should also apply. _________________ 25 See: Annexes to the Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on Commission Work Programme 2021 (COM(2020) 690 final). 26For example, Directive 2011/24/EU in the context of the European Health Data Space, and relevant transport legislation such as Directive 2010/40/EU, Regulation 2019/1239 and Regulation (EU) 2020/1056, in the context of the European Mobility Data Space. 27Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), (OJ L 119, 4.5.2016, p.1) 28Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. (OJ L 119, 4.5.2016, p.89) 29Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure. (OJ L 157, 15.6.2016, p.1) 30 Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union. (OJ L 303, 28.11.2018, p. 59) 31Regulation (EC) No 223/2009 of the European Parliament and of the Council of 11 March 2009 on European statistics and repealing Regulation (EC, Euratom) No 1101/2008 of the European Parliament and of the Council on the transmission of data subject to statistical confidentiality to the Statistical Office of the European Communities, Council Regulation (EC) No 322/97 on Community Statistics, and Council Decision 89/382/EEC, Euratom establishing a Committee on the Statistical Programmes of the European Communities. (OJ L 87, 31.03.2009, p. 164) 32Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000, on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce). (OJ L 178, 17.07.2000, p. 1) 33Directive 2001/29/EC of the European Parliament and of the Council of 22 May 2001 on the harmonisation of certain aspects of copyright and related rights in the information society. (OJ L 167, 22.6.2001, p. 10) 34 Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC. (OJ L 130, 17.5.2019, p. 92) 35Directive 2004/48/EC of the European Parliament and of the Council of 29 April 2004 on the enforcement of intellectual property rights. (OJ L 157, 30.4.2004). 36Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information. (OJ L 172, 26.6.2019, p. 56). 37 Regulation (EU) 2018/858 of the European Parliament and of the Council of 30 May 2018 on the approval and market surveillance of motor vehicles and their trailers, and of systems, components and separate technical units intended for such vehicles, amending Regulations (EC) No 715/2007 and (EC) No 595/2009 and repealing Directive 2007/46/EC (OJ L 151, 14.6.2018). 38 Directive 2010/40/EU of the European Parliament and of the Council of 7 July 2010 on the framework for the deployment of Intelligent Transport Systems in the field of road transport and for interfaces with other modes of transport. (OJ L 207, 6.8.2010, p. 1)
Amendment 56 #
Proposal for a regulation
Recital 4
Recital 4
(4) Action at Union level is necessary in order to address the barriers to a well- functioning data-driven economy and to create a Union-wide governance framework. A Union-wide governance framework should be built in a way as to enable individuals, businesses - especially SMEs and start- ups - as well as civil society actors to thrive, ensuring trust, transparency, interoperability, access, portability, security of data, and a level-playing field for all actors, with a view to enhancing the flow and re-use of non-personal and personal data that is fully compliant with the relevant instruments of EU and national law. It should allow for data access and use, in particular regarding the re-use of certain types of data held by the public sector, the provision of services by data sharingintermediation providers to business users and to data subjects, as well as the collection and processing of data made available for altruistic purposes by natural and legal persons.
Amendment 59 #
Proposal for a regulation
Recital 4 a (new)
Recital 4 a (new)
(4a) The Commission’s consultation of 9 October 2019 entitled ‘SME panel consultation on B2B Data Sharing Principles and Guidance’ found that 40% of SMEs struggle to access the data they need to develop data-driven products and services underscoring the need to lower the barriers to a data-driven economy, in particular for SMEs. The Digital Europe Programme, as well as other Union and national programmes, should support cooperation to achieve a European ecosystem for trusted data sharing. European Digital Innovation Hubs and their network should also be able to help businesses, in particular SMEs and start- ups to reap the benefits from the European data economy.
Amendment 61 #
Proposal for a regulation
Recital 4 b (new)
Recital 4 b (new)
(4b) To foster further trust in the data economy of the Union, it is essential that citizens, businesses, civil society actors and the public sector are provided with safeguards ensuring that control over their strategic and sensitive data is guaranteed and that Union legislation, values and high level standards are upheld in terms of, but not limited to, security, protection of personal data, consumer rights, intellectual property rights and commercial confidentiality, including trade secrets. To that end, public sector bodies, natural or legal persons to which the right to re-use data was granted, providers of data intermediation services and entities entered in the register of recognized data altruism organisations should adhere to the relevant technical standards, codes of conduct and certifications at Union level.
Amendment 63 #
Proposal for a regulation
Recital 6
Recital 6
(6) There are techniques enabling privacy-friendly analyses on databases that contain personal data, such as anonymisation, pseudonymisation, differential privacy, generalisation, or suppression and randomisation or other methods that effectively prevent the identification of data subjects. Application of these privacy-enhancing technologies, together with comprehensive data protection approaches compliant with the rules on data processing should ensure the safe re-use of personal data and commercially confidential business data for research, innovation and statistical purposes. In many cases this implies that the data use and re-use in this context can only be done in a secure processing environment set in place and supervised by the public sector. There is experience at Union level with such secure processing environments that are used for research on statistical microdata on the basis of Commission Regulation (EU) 557/2013 (39 ). In general, insofar as personal data are concerned, the processing of personal data should rely upon one or more of the grounds for processing provided in Article 6 of Regulation (EU) 2016/679. _________________ 39Commission Regulation (EU) 557/2013 of 17 June 2013 implementing Regulation (EC) No 223/2009 of the European Parliament and of the Council on European Statistics as regards access to confidential data for scientific purposes and repealing Commission Regulation (EC) No 831/2002 (OJ L 164, 18.6.2013, p. 16).
Amendment 68 #
Proposal for a regulation
Recital 9
Recital 9
(9) Public sector bodies should comply with competition law when establishing the principles for re-use of data they hold, avoiding as far as possible the conclusion of agreements, which might have as their objective or effect the creation of exclusive rights for the re-use of certain data. Such agreement should be only possible when justified and necessary for the provision of a service of general interest. This may be the case when exclusive use of the data is the only way to maximise the societal benefits of the data in question, for example where there is only one entity (which has specialised in the processing of a specific dataset) capable of delivering the service or the product which allows the public sector body to provide an advanced digital service in the general interest. Such arrangements should, however, be concluded in compliance with public procurement rules and be subject to regular review based on a market analysis in order to ascertain whether such exclusivity continues to be necessary. In addition, such arrangements should comply with the relevant State aid rules, as appropriate, and should be concluded for a limited period, which should not exceed three years12 months. That period may be extended by 12 months, subject to the approval of the competent body supporting the public sector body in question. In order to ensure transparency, such exclusive agreements should be published online, regardless of a possible publication of an award of a public procurement contract.
Amendment 72 #
Proposal for a regulation
Recital 11
Recital 11
(11) Conditions for re-use of protected data that apply to public sector bodies competent under national law to allow re- use, and which should be without prejudice to rights or obligations concerning access to such data, should be laid down. Those conditions should be non-discriminatory, transparent, proportionate and objectively justified, while not restricting competitionfostering competition, with a specific focus on promoting access to such data for SMEs, start-ups and civil society actors and promoting innovation and scientific research. In particular, public sector bodies allowing re- use should have in place the technical means necessary to ensure the protection of rights and interests of third parties and should be empowered to request the necessary information from the re-user. Conditions attached to the re-use of data should be limited to what is necessary to preserve the rights and interests of others in the data and the integrity of the information technology and communication systems of the public sector bodies. Public sector bodies should apply conditions which best serve the interests of the re-user without leading to a disproportionate effortburden for the public sector. Depending on the case at hand, before its transmission, personal data should be fully anonymised, so as to definitively not allow the identification of the data subjects, or data containing commercially confidential information modified in such a way that no confidential information is disclosed. Where provision of anonymised or modified data would not respond to the needs of the re-user, on- premise or remote re-use of the data within a secure processing environment could be permitted. Data analyses in such secure processing environments should be supervised by the public sector body, so as to protect the rights and interests of others. In particular, personal data should only be transmitted for re-use to a third party where a legal basis allows such transmission. The public sector body cshould make the use of such secure processing environment conditional on the signature by the re-user of a confidentiality agreement that prohibits the disclosure of any information that jeopardises the rights and interests of third parties that the re-user may have acquired despite the safeguards put in place. The public sector bodies, where relevant, should facilitate the re-use of data on the basis of consent of data subjects or permissions of legal persons on the re-use of data pertaining to them through adequate technical means. In this respect, the public sector body should support potential re-users in seeking such consent by establishing technical mechanisms that permit transmitting requests for consent from re-users, where practically feasible. Public sector bodies should focus in particular on seeking to ensure that SMEs, start-ups and civil society actors are able to compete fairly. No contact information should be given that allows re- users to contact data subjects or companies directly.
Amendment 77 #
Proposal for a regulation
Recital 12
Recital 12
(12) The intellectual property rights of third parties shouldare not be affected by this Regulation. This Regulation should neither affects the existence or ownership of intellectual property rights of public sector bodies, nor shoulddoes it limit the exercise of these rights in any way beyond the boundaries set by this Regulation. The obligations imposed in accordance with this Regulation should apply only insofar as they are compatible with international agreements on the protection of intellectual property rights, in particular the Berne Convention for the Protection of Literary and Artistic Works (Berne Convention), the Agreement on Trade-Related Aspects of Intellectual Property Rights (TRIPS Agreement) and the WIPO Copyright Treaty (WCT). Public sector bodies should, however, exercise their copyright in a way that facilitates re- use.
Amendment 80 #
Proposal for a regulation
Recital 15
Recital 15
(15) Furthermore, in order to preserve fair competition and an open market economy it is important to protect commercially sensitive data of non- personal nature, notably trade secrets, but also non-personal data representing content protected by intellectual property rights from unlawful access that may lead to IP theft or industrial espionage. In order to ensure the protection of fundamental rights or interests of data holders, non-personal data which is to be protected from unlawful or unauthorised access under Union or national law, and which is held by public sector bodies, should be transferred only to third-countries where appropriate safeguards for the use of data are provided. Such appropriate safeguards should be considered to exist when in thatose third- countryies there are equivalent measures in place which ensure that non-personal data benefits from a level of protection similar to that applicable by means of Union or national law in particular as regards the protection of trade secrets and the protection of intellectual property rights. To that end, the Commission may adopt implementpower to adopt acts ing acts that declare that acordance with Article 290 TFEU should be delegated to the Commission to draw up and subsequently update a list identifying the third -countryies that provides a level of protection that is essentially equivalent to those provided by Union or national law. The assessment of the level of protection afforded in such third-countryies should, in particular, take into consideration the relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law concerning the access to and protection of non-personal data, any access by the public authorities of that third country to the data transferred, the existence and effective functioning of one or more independent supervisory authorities in the third country with responsibility for ensuring and enforcing compliance with the legal regime ensuring access to such data, or the third countries’ international commitments regarding the protection of data the third country concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems. The existence of effective legal remedies for data holders, public sector bodies or data sharing providerproviders of data intermediation services in the third country concerned is of particular importance in the context of the transfer of non-personal data to that third country. Such safeguards should therefore include the availability of enforceable rights and of effective legal remedies. Moreover, should there be any worrying cases concerning the re-use of non-personal date in third countries, the Commission should take these into account when adopting delegated acts.
Amendment 82 #
Proposal for a regulation
Recital 16
Recital 16
(16) In cases where therea third-country is not implementing acncluded in the list adopted by the Commission in relation to aby means of delegated acts identifying the third -country declaringies that it provides a level of protection, in particular as regards the protection of commercially sensitive data and the protection of intellectual property rights, which is essentially equivalent to that provided by Union or national law, the public sector body should only transmit protected data to a re-user, if the re-user undertakes obligations in the interest of the protection of the data. The re-user that intends to transfer the data to such third country should commit to comply with the obligations laid out in this Regulation even after the data has been transferred to the third country. To ensure the proper enforcement of such obligations, the re- user should also accept the jurisdiction of the Member State of the public sector body that allowed the re-use for the judicial settlement of disputes. In that regard, the public sector bodies or the competent bodies should, to the extent of their capabilities, provide guidance and legal administrative support to re-users, especially small actors, such as SME, start-ups and civil society actors, for the purpose of supporting them in complying with those obligations.
Amendment 84 #
Proposal for a regulation
Recital 18
Recital 18
(18) In order to prevent unlawful access to non-personal data, public sector bodies, natural or legal persons to which the right to re-use data was granted, data sharingintermediation providers and entities entered in the register of recognised data altruism organisations should take all reasonable measures to prevent access to the systems where non-personal data is stored, including encryption of data, cybersecurity measures or corporate policies.
Amendment 89 #
Proposal for a regulation
Recital 21
Recital 21
(21) In order to incentivise the re-use of these categories of data, Member States should establish a single information point to act as the primary interface for re-users that seek to re-use such data held by the public sector bodies. It should have a cross-sector remit, and should complement, if necessary, arrangements at the sectoral level. In addition, Member States should designate, establish or facilitate the establishment of competent bodies to support the activities of public sector bodies allowing re-use of certain categories of protected data. Their tasks may include granting access to data, where mandated in sectoral Union or Member States legislation, and developing a harmonised approach and processes for public sector bodies to make data available. Those competent bodies should provide support to public sector bodies with state-of-the-art techniques, including secure data processing environments, which allow data analysis in a manner that preserves the privacy of the information. Such support structure could support the data holders with management of the consent, including consent to certain areas of scientific research when in keeping with recognised ethical standards for scientific research. Data processing should be performed under the responsibility of the public sector body responsible for the register containing the data, who remains a data controller in the sense of Regulation (EU) 2016/679 insofar as personal data are concerned. Member States may have in place one or several competent bodies, which could act in different sectors.
Amendment 91 #
Proposal for a regulation
Recital 22
Recital 22
(22) Providers of data sharingintermediation services (data intermediaries) are expected to play a key role in the data economy, as a tool to facilitate the aggregation and exchange of substantial amounts of relevant data. Data intermediaries offering services that connect the different actors have the potential to contribute to the efficient pooling of data as well as to the facilitation of bilateral data sharing. Specialised data intermediaries that are independent from both data holders and data users can have a facilitating role in the emergence of new data-driven ecosystems independent from any player with a significant degree of market power. This Regulation should only cover providers of data sharingintermediation services that have as a main objective the establishment of a business, a legal and potentially also technical relation between data holders, including data subjects, on the one hand, and potential users on the other hand, and assist both parties in a transaction of data assets between the two. It should only cover services aiming at intermediating between an indefinite number of data holders and data users, excluding data sharing services that are meant to be used by a closed group of data holders and users. Providers of cloud services should be excluded, as well as service providers that obtain data from data holders, aggregate, enrich or transform the data and licence the use of the resulting data to data users, without establishing a direct relationship between data holders and data users, for example advertisement or data brokers, data consultancies, providers of data products resulting from value added to the data by the service provider. At the same time, data sharing service providerproviders of data intermediation services should be allowed to make adaptations to the data exchanged, to the extent that thisin order to improves the usability of the data by the data user, where the data user desires this, or improve interoperability such as to convert it into specific formats. In addition, services that focus on the intermediation of content, in particular on copyright-protected content, should not be covered by this Regulation. Data exchange platforms that are exclusively used by one data holder in order to enable the use of data they hold as well as platforms developed in the context of objects and devices connected to the Internet-of-Things that have as their main objective to ensure functionalities of the connected object or device and allow value added services, should not be covered by this Regulation. ‘Consolidated tape providers’ in the sense of Article 4 (1) point 53 of Directive 2014/65/EU of the European Parliament and of the Council42 as well as ‘account information service providers’ in the sense of Article 4 point 19 of Directive (EU) 2015/2366 of the European Parliament and of the Council43 should not be considered as data sharing service providerproviders of data intermediation services for the purposes of this Regulation. Entities which restrict their activities to facilitating use of data made available on the basis of data altruism and that operate on a not-for-profit basis should not be covered by Chapter III of this Regulation, as this activity serves objectives of general interest by increasing the volume of data available for such purposes. _________________ 42Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU, OJ L 173/349. 43Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC.
Amendment 92 #
Proposal for a regulation
Recital 25
Recital 25
(25) In order to increase trust in such data sharingintermediation services, in particular related to the use of data and the compliance with the conditions imposed by data holders, it is necessary to create a Union-level regulatory framework, which would set out highly harmonised requirements related to the trustworthy provision of such data sharingintermediation services. This will contribute to ensuring that data holders and data users have better control over the access to and use of their data, in accordance with Union law. Additionally, in order to foster trust, the Commission should encourage and facilitate the development of self- regulatory codes of conduct at Union level, involving relevant stakeholders. Both in situations where data sharing occurs in a business-to-business context and where it occurs in a business-to- consumer context, data sharingintermediation providers should offer a novel, ‘European’ way of data governance, by providing a separation in the data economy between data provision, intermediation and use. Providers of data sharingintermediation services may also make available specific technical infrastructure for the interconnection of data holders and data users. In that regard, it is important to shape that infrastructure in such a way that SMEs and start-ups as well as civil society actors encounter no technical or other barriers to their participation in the data economy.
Amendment 93 #
Proposal for a regulation
Recital 26
Recital 26
(26) A key element to bring trust and more control for data holder and data users in data sharingintermediation services is the neutrality of data sharing service providerproviders of data intermediation services as regards the data exchanged between data holders and data users. It is therefore necessary that data sharing service providerproviders of data intermediation services act only as intermediaries in the transactions, and do not use the data exchanged for any other purpose. This will also require structural separation between the data sharingintermediation service and any other services provided, so as to avoid issues of conflict of interest. This means that the data sharingintermediation service should be provided through a legal entity that is separate from the other activities of that data sharing provider. Data sharing providerprovider of data intermediation services. Providers of data intermediation services should, however, be able to offer data holders and data users tools for the purpose of facilitating the exchange of data, for example tools for the analysis, conversion, aggregation, curation, anonymisation or pseudonymisation of data. Providers of data intermediation services that intermediate the exchange of data between individuals as data holders and legal persons should, in addition, bear fiduciary duty towards the individuals, to ensure that they act in the best interest of the data holders.
Amendment 94 #
Proposal for a regulation
Recital 27
Recital 27
(27) In order to ensure the compliance of the providers of data sharingintermediation services with the conditions set out in this Regulation, such providers should have a place of establishment in the Union. Alternatively, where a provider of data sharingintermediation services not established in the Union offers services within the Union, it should designate a representative. Designation of a representative is necessary, given that such providers of data sharingintermediation services handle personal data as well as commercially confidential data, which necessitates the close monitoring of the compliance of such service providers with the conditions laid out in this Regulation. In order to determine whether such a provider of data sharingintermediation services is offering services within the Union, it should be ascertained whether it is apparent that the provider of data sharingintermediation services is planning to offer services to persons in one or more Member States. The mere accessibility in the Union of the website or of an email address and of other contact details of the provider of data sharingintermediation services, or the use of a language generally used in the third country where the provider of data sharingintermediation services is established, should be considered insufficient to ascertain such an intention. However, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering services in that other language, or the mentioning of users who are in the Union, may make it apparent that the provider of data sharingintermediation services is planning to offer services within the Union. The representative should act on behalf of the provider of data sharingintermediation services and it should be possible for competent authorities to contact the representative. The representative should be designated by a written mandate of the provider of data sharingintermediation services to act on the latter's behalf with regard to the latter's obligations under this Regulation.
Amendment 97 #
Proposal for a regulation
Recital 28
Recital 28
(28) This Regulation should be without prejudice to the obligation of providers of data sharingintermediation services to comply with Regulation (EU) 2016/679 and the responsibility of supervisory authorities to ensure compliance with that Regulation. Where the data sharing service providerproviders of data intermediation services are data controllers or processors in the sense of Regulation (EU) 2016/679 they are bound by the rules of that Regulation. This Regulation should be also without prejudice to the application of competition law.
Amendment 98 #
Proposal for a regulation
Recital 29
Recital 29
(29) Providers of data sharingintermediation services should also take measures to ensure compliance with competition law. Data sharing may generate various types of efficiencies but may also lead to restrictions of competition, in particular where it includes the sharing of competitively sensitive information. This applies in particular in situations where data sharing enables businesses to become aware of market strategies of their actual or potential competitors. Competitively sensitive information typically includes information on future prices, production costs, quantities, turnovers, sales or capacities.
Amendment 99 #
Proposal for a regulation
Recital 30
Recital 30
(30) A notification procedure for data sharingintermediation services should be established in order to ensure a data governance within the Union based on trustworthy exchange of data. The benefits of a trustworthy environment would be best achieved by imposing a number of requirements for the provision of data sharingintermediation services, but without requiring any explicit decision or administrative act by the competent authority for the provision of such services.
Amendment 100 #
Proposal for a regulation
Recital 31
Recital 31
(31) In order to support effective cross- border provision of services, the data sharingintermediation provider should be requested to send a notification only to the designated competent authority from the Member State where its main establishment is located or where its legal representative is located. Such a notification should not entail more than a mere declaration of the intention to provide such services and should be completed only by the information set out in this Regulation.
Amendment 101 #
Proposal for a regulation
Recital 32
Recital 32
(32) The main establishment of a provider of data sharingintermediation services in the Union should be the Member State with the place of its central administration in the Union. The main establishment of a provider of data sharingintermediation services in the Union should be determined according to objective criteria and should imply the effective and real exercise of management activities.
Amendment 103 #
Proposal for a regulation
Recital 33
Recital 33
(33) The competent authorities designated to monitor compliance of data sharingintermediation services with the requirements in this Regulation should be chosen on the basis of their capacity and expertise regarding horizontal or sectoral data sharing, and they should be independent as well as transparent and impartial in the exercise of their tasks. Member States should notify the Commission of the identity of the designated competent authorities.
Amendment 106 #
Proposal for a regulation
Recital 36
Recital 36
(36) Legal entities that seek to support purposes of general interest by making available relevant data based on data altruism at scale and meet certain requirements, should be able to register as ‘Data Altruism Organisations recognised in the Union’. This could lead to the establishment of data repositories. As registration in a Member State would be valid across the Union, and this should facilitate cross-border data use within the Union and the emergence of data pools covering several Member States. Data subjects in this respect would consent to specific purposes of data processing, but could also consent to data processing in certain areas of research or parts of research projects as it is often not possible to fully identify the purpose of personal data processing for scientific research purposes at the time of data collection. Legal persons could give permission to the processing of their non-personal data for a range of purposes not defined at the moment of giving the permission. The voluntary compliance of such registered entities with a set of requirements should bring trust that the data made available on altruistic purposes is serving a general interest purpose. Such trust should result in particular from a place of establishment within the Union, as well as from the requirement that registered entities have a not-for-profit character, from transparency requirements and from specific safeguards in place to protect rights and interests of data subjects and companies. Further safeguards should include making it possible to process relevant data within a secure processing environment operated by the registered entity, oversight mechanisms such as ethics councils or boards to ensure that the data controller maintains high standards of scientific ethics, effective technical means to withdraw or modify consent at any moment, based on the information obligations of data processors under Regulation (EU) 2016/679 as well as means for data subjects to stay informed about the use of data they made available. Additionally, in order to foster trust, the Commission should encourage and facilitate the development of self- regulatory codes of conduct at Union level, involving relevant stakeholders.
Amendment 110 #
Proposal for a regulation
Recital 39
Recital 39
(39) To promote trust and bring additional legal certainty and user- friendliness to granting and withdrawing of consent, in particular in the context of scientific research and statistical use of data made available on an altruistic basis, a European data altruism consent form should be developed and used in the context of altruistic data sharing. Such a form should contribute to additional transparency for data subjects that their data will be accessed and used in accordance with their consent and also in full compliance with the data protection rules. It could also be used to streamline data altruism performed by companies and provide a mechanism allowing such companies to withdraw their permission to use the data. In order to take into account the specificities of individual sectors, including from a data protection perspective, there should be a possibility for sectoral adjustments of the European data altruism consent form.
Amendment 112 #
Proposal for a regulation
Recital 43
Recital 43
(43) In order to ensure the protection of the rights and interests of data holders and take account of the specific nature of certain categories of data, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission to draw up a list identifying the third countries that provide a level of protection that is essentially equivalent to those provided by Union or national law and to lay down special conditions applicable for transfers to third- countries of certain non-personal data categories deemed to be highly sensitive in specific Union acts adopted though a legislative procedure. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making . In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.
Amendment 115 #
Proposal for a regulation
Article 1 – paragraph 2
Article 1 – paragraph 2
(2) This Regulation is without prejudice to specific provisions in other Union legal acts regarding access to or re- use of certain categories of data, or requirements related to processing of personal or non-personal data. Where a sector-specific Union legal act requires public sector bodies, providers of data sharingintermediation services or registered entities providing data altruism services to comply with specific additional technical, administrative or organisational requirements, including through an authorisation or certification regime, those provisions of that sector-specific Union legal act shall also apply.
Amendment 130 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘data altruism’ means the consentvoluntary sharing of data by data subjects or their consent to process personal data pertaining to them, or permissions of other data holders to allow the use of their non- personal data without seeking or receiving a reward, for purposes of general interest, such as scientific research purposes, policy making or improving public services;
Amendment 133 #
Proposal for a regulation
Article 2 – paragraph 1 – point 15
Article 2 – paragraph 1 – point 15
(15) ‘representative’ means any natural or legal person established in the Union explicitly designated to act on behalf of a provider of data sharingintermediation services or an entity that collects data for objectives of general interest made available by natural or legal persons on the basis of data altruism not established in the Union, which may be addressed by a national competent authority instead of the provider of data sharingintermediation services or entity with regard to the obligations of that provider of data sharingintermediation services or entity set up by this Regulation.
Amendment 134 #
Proposal for a regulation
Article 3 – paragraph 2 – point c
Article 3 – paragraph 2 – point c
(c) data held by cultural establishments and educational establishments for which intellectual property rights are not incidental, but which are predominantly contained in works and other documents protected by such intellectual property rights;
Amendment 136 #
(1) Agreements or other practices pertaining to the re-use of data held by public sector bodies containing categories of data referred to in Article 3 (1) which grant exclusive rights or which have as their object or effect to grant such exclusive rights or to restrict the availability of data for re-use by entities other than the parties to such agreements or other practices shall be prohibited. Such agreements or practices and the exclusive rights granted pursuant to them shall be void.
Amendment 137 #
Proposal for a regulation
Article 4 – paragraph 5
Article 4 – paragraph 5
(5) The period of exclusivity of the right to re-use data shall not exceed three years12 months. That period may be extended by 12 months, subject to the approval by the competent body referred to in Article 7(1). Where a contract is concluded, the duration of the contract awarded shall be as aligned with the period of exclusivity.
Amendment 138 #
Proposal for a regulation
Article 4 – paragraph 7
Article 4 – paragraph 7
(7) Agreements or other practices falling within the scope of the prohibition in paragraph 1, which do not meet the conditions set out in paragraph 2, and which were concluded before the date of entry into force of this Regulation shall be terminated at the end of the contract and in any event at the latest within threewo years after the date of entry into force of this Regulation.
Amendment 139 #
Proposal for a regulation
Article 5 – paragraph 2
Article 5 – paragraph 2
(2) Conditions for re-use shall be non- discriminatory, transparent, proportionate and objectively justified with regard to categories of data and purposes of re-use and the nature of the data for which re-use is allowed. These conditions shall not be used to restrict competition, including by being constructed in a way that poses restrictions for SMEs, start-ups or civil society actors to participate in the data economy.
Amendment 145 #
Proposal for a regulation
Article 5 – paragraph 4 – introductory part
Article 5 – paragraph 4 – introductory part
(4) PIn duly justified cases, public sector bodies may impose obligations
Amendment 148 #
Proposal for a regulation
Article 5 – paragraph 5
Article 5 – paragraph 5
(5) The public sector bodies shall impose conditions that preserve the integrity of the functioning of the technical systems of the secure processing environment, used in compliance with high level cybersecurity standards. The public sector body shall be able to verify any results of processing of data undertaken by the re- user and reserve the right, after giving the re-user the possibility to provide further information, to prohibit the use of results that contain information jeopardising the rights and interests of third parties, such as intellectual property rights, trade secrets or rights referred to in Regulation (EU) 2016/679.
Amendment 155 #
Proposal for a regulation
Article 5 – paragraph 6
Article 5 – paragraph 6
(6) Where the re-use of data cannot be granted in accordance with the obligations laid down in paragraphs 3 to 5 and there is no other legal basis for transmitting the data under Regulation (EU) 2016/679, the public sector body shall support re-users in seeking consent of the data subjects and/or permission from the legal entities whose rights and interests may be affected by such re-use, where it is feasible without disproportionate cost for the public sector. To this end, the public sector bodies shall be equipped with the necessary human and financial resources to carry out their duties in an effective and efficient way. In that task they may be assisted by the competent bodies referred to in Article 7 (1).
Amendment 160 #
Proposal for a regulation
Article 5 – paragraph 9 – subparagraph 1 – introductory part
Article 5 – paragraph 9 – subparagraph 1 – introductory part
(9) The Commission may adopt implementshall be empowered to adopt delegated acts ing acts declaring thatcordance with Article 28 to draw up and update a list of third-countries where the legal, supervisory and enforcement arrangements of a third countryin place:
Amendment 161 #
Proposal for a regulation
Article 5 – paragraph 9 – subparagraph 2
Article 5 – paragraph 9 – subparagraph 2
Amendment 168 #
Proposal for a regulation
Article 6 – paragraph 4
Article 6 – paragraph 4
(4) Where they apply fees, public sector bodies shall take measures to incentivise the re-use of the categories of data referred to in Article 3 (1) for non- commercial purposes and by small and medium-sized enterprises in line with State aid rules. In that regard, public sector bodies may also make the data available for a discounted fee or free of charge, in particular to SMEs and start-ups, civil society actors and educational establishments.
Amendment 178 #
Proposal for a regulation
Article 7 – paragraph 4
Article 7 – paragraph 4
(4) The competent body or bodies shall have adequate legal and technical capacities and expertise to be able to comply with relevant Union or national law concerning the access regimes for the categories of data referred to in Article 3 (1). The competent body or bodies should be equipped with the necessary human and financial resources to carry out their duties in an effective and efficient way.
Amendment 180 #
Proposal for a regulation
Chapter III – title
Chapter III – title
Requirements applicable to data sharingintermediation services
Amendment 181 #
Proposal for a regulation
Article 9 – title
Article 9 – title
Providers of data sharingintermediation services
Amendment 182 #
Proposal for a regulation
Article 9 – paragraph 1 – introductory part
Article 9 – paragraph 1 – introductory part
(1) The provision of the following data sharingintermediation services shall be subject to a notification procedure:
Amendment 187 #
Proposal for a regulation
Article 9 – paragraph 2
Article 9 – paragraph 2
(2) This Chapter shall be without prejudice to the application of other Union and national law to providers of data sharingintermediation services, including powers of supervisory authorities to ensure compliance with applicable law, in particular as regard the protection of personal data and competition law.
Amendment 189 #
Proposal for a regulation
Article 10 – title
Article 10 – title
Notification of data sharingintermediation service providers
Amendment 190 #
Proposal for a regulation
Article 10 – paragraph 1
Article 10 – paragraph 1
(1) Any provider of data sharingintermediation services who intends to provide the services referred to in Article 9 (1) shall submit a notification to the competent authority referred to in Article 12.
Amendment 191 #
Proposal for a regulation
Article 10 – paragraph 2
Article 10 – paragraph 2
(2) For the purposes of this Regulation, a provider of data sharingintermediation services with establishments in more than one Member State, shall be deemed to be under the jurisdiction of the Member State in which it has its main establishment.
Amendment 193 #
Proposal for a regulation
Article 10 – paragraph 3
Article 10 – paragraph 3
(3) A provider of data sharingintermediation services that is not established in the Union, but offers the services referred to in Article 9 (1) within the Union, shall appoint a legal representative in one of the Member States in which those services are offered. The provider shall be deemed to be under the jurisdiction of the Member State in which the legal representative is established.
Amendment 194 #
Proposal for a regulation
Article 10 – paragraph 4
Article 10 – paragraph 4
(4) Upon notification, the provider of data sharingintermediation services may start the activity subject to the conditions laid down in this Chapter.
Amendment 196 #
Proposal for a regulation
Article 10 – paragraph 5
Article 10 – paragraph 5
(5) The notification shall entitle the provider to provide data sharingintermediation services in all Member States.
Amendment 197 #
Proposal for a regulation
Article 10 – paragraph 6 – point a
Article 10 – paragraph 6 – point a
(a) the name of the provider of data sharingintermediation services;
Amendment 205 #
Proposal for a regulation
Article 10 – paragraph 9
Article 10 – paragraph 9
(9) The competent authority shall notify the Commission of each new notification. The Commission shall keep a register of providers of data sharingintermediation services.
Amendment 206 #
Proposal for a regulation
Article 10 – paragraph 10
Article 10 – paragraph 10
(10) The competent authority may charge fees. Such fees shall be proportionate and objective and be based on the administrative costs related to the monitoring of compliance and other market control activities of the competent authorities in relation to notifications of data sharingintermediation services.
Amendment 207 #
Proposal for a regulation
Article 10 – paragraph 11
Article 10 – paragraph 11
(11) Where a provider of data sharingintermediation services ceases its activities, it shall notify the relevant competent authority determined pursuant to paragraphs 1, 2 and 3 within 15 days. The competent authority shall forward without delay each such notification to the national competent authorities in the Member States and to the Commission by electronic means.
Amendment 208 #
Proposal for a regulation
Article 11 – title
Article 11 – title
Conditions for providing data sharingintermediation services
Amendment 209 #
Proposal for a regulation
Article 11 – paragraph 1 – introductory part
Article 11 – paragraph 1 – introductory part
The provision of data sharingintermediation services referred in Article 9 (1) shall be subject to the following conditions:
Amendment 210 #
Proposal for a regulation
Article 11 – paragraph 1 – point 1
Article 11 – paragraph 1 – point 1
(1) the provider may not use the data for which it provides services for other purposes than to put them at the disposal of data users and data sharingintermediation services shall be placed in a separate legal entity;
Amendment 212 #
Proposal for a regulation
Article 11 – paragraph 1 – point 2
Article 11 – paragraph 1 – point 2
(2) the metadata collected from the provision of the data sharingintermediation service may be used only for the development of that service;
Amendment 214 #
Proposal for a regulation
Article 11 – paragraph 1 – point 4 a (new)
Article 11 – paragraph 1 – point 4 a (new)
(4a) data intermediation services may include offering additional specific tools and services to data holders for the purpose of facilitating the exchange of data, such as analysis, temporary storage, aggregation, curation, conversion, anonymisation, pseudonymisation; those tools and services shall be used only at the explicit request or approval of the data holder and third-party tools offered in that context shall not use data for other purposes other than those requested or approved by the data holder;
Amendment 233 #
Proposal for a regulation
Article 19 – paragraph 2
Article 19 – paragraph 2
(2) The entity shall also ensure that the data is not be used for other purposes than those of general interest for which it permits the processing. Safeguards should be provided to ensure that misleading marketing practices are not used to solicit donations of data.
Amendment 237 #
Proposal for a regulation
Article 27 – paragraph 1 – point b
Article 27 – paragraph 1 – point b
(b) to advise and assist the Commission in developing a consistent practice of the competent authorities in the application of requirements applicable to data sharing providerproviders of data intermediation services;
Amendment 238 #
Proposal for a regulation
Article 27 – paragraph 1 – point b a (new)
Article 27 – paragraph 1 – point b a (new)
(ba) to advise and assist the Commission in developing consistent guidelines for the use of technologies to effectively prevent the identification of data subjects such as anonymisation, pseudonymisation, differential privacy, generalisation, or suppression and randomisation for the re-use of personal and non-personal data;
Amendment 239 #
Proposal for a regulation
Article 27 – paragraph 1 – point b b (new)
Article 27 – paragraph 1 – point b b (new)
(bb) to advise and assist the Commission in developing consistent guidelines on how to best protect, in the context of this Regulation, commercially sensitive data of non-personal nature, in particular trade secrets, but also non- personal data representing content protected by intellectual property rights from unlawful access that risks intellectual property theft or industrial espionage;
Amendment 240 #
Proposal for a regulation
Article 27 – paragraph 1 – point b c (new)
Article 27 – paragraph 1 – point b c (new)
(bc) to advise and assist the Member States and the Commission on the harmonisation of the interpretation and use of anonymisation and pseudonymisation of data across the Union;
Amendment 241 #
Proposal for a regulation
Article 27 – paragraph 1 – point b d (new)
Article 27 – paragraph 1 – point b d (new)
(bd) to advise and assist the Commission in developing consistent guidelines for cybersecurity requirements for the exchange and storage of data, in compliance with high level cybersecurity standards;
Amendment 242 #
Proposal for a regulation
Article 27 – paragraph 1 – point d
Article 27 – paragraph 1 – point d
(d) to advise and assist the Commission in addressing fragmentation of the data economy in the single market by enhancing the interoperability of data as well as data sharingintermediation services between different sectors and domains, building on existing European, international or national standards;
Amendment 244 #
Proposal for a regulation
Article 27 – paragraph 1 – point e
Article 27 – paragraph 1 – point e
(e) to facilitate the cooperation between national competent authorities under this Regulation through capacity- building and the exchange of information, in particular by establishing methods for the efficient exchange of information relating to the notification procedure for data sharing service providerproviders of data intermediation services and the registration and monitoring of recognised data altruism organisations.
Amendment 245 #
Proposal for a regulation
Article 28 – paragraph 2
Article 28 – paragraph 2
(2) The power to adopt delegated acts referred to in Articles 5 (9) and 5 (11) shall be conferred on the Commission for an indeterminate period of time from […].
Amendment 246 #
Proposal for a regulation
Article 28 – paragraph 3
Article 28 – paragraph 3
(3) The delegation of power referred to in Articles 5 (9) and 5 (11) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.
Amendment 250 #
Proposal for a regulation
Article 30 – paragraph 2
Article 30 – paragraph 2
(2) Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a public sector body, a natural or legal person to which the right to re-use data was granted under Chapter 2, a data sharing providerprovider of data intermediation services or entity entered in the register of recognised data altruism organisations to transfer from or give access to non- personal data subject to this Regulation in the Union may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or any such agreement between the requesting third country and a Member State concluded before [the entry into force of this Regulation].
Amendment 251 #
Proposal for a regulation
Article 30 – paragraph 3 – subparagraph 1 – introductory part
Article 30 – paragraph 3 – subparagraph 1 – introductory part
(3) Where a public sector body, a natural or legal person to which the right to re-use data was granted under Chapter 2, a data sharing providerprovider of data intermediation services or entity entered in the register of recognised data altruism organisations is the addressee of a decision of a court or of an administrative authority of a third country to transfer from or give access to non- personal data held in the Union and compliance with such a decision would risk putting the addressee in conflict with Union law or with the law of the relevant Member State, transfer to or access to such data by that third-country authority shall take place only:
Amendment 252 #
Proposal for a regulation
Article 30 – paragraph 4
Article 30 – paragraph 4
(4) If the conditions in paragraph 2, or 3 are met, the public sector body, the natural or legal person to which the right to re-use data was granted under Chapter 2, the data sharing providerprovider of data intermediation services or the entity entered in the register of recognised data altruism organisations, as the case may be, shall, provide the minimum amount of data permissible in response to a request, based on a reasonable interpretation of the request.
Amendment 254 #
Proposal for a regulation
Article 30 – paragraph 5
Article 30 – paragraph 5
(5) The public sector body, the natural or legal person to which the right to re-use data was granted under Chapter 2, the data sharing providerprovider of data intermediation services and the entity providing data altruism shall inform the data holder about the existence of a request of an administrative authority in a third-country to access its data, except in cases where the request serves law enforcement purposes and for as long as this is necessary to preserve the effectiveness of the law enforcement activity.