30 Amendments of Angelika NIEBLER related to 2020/0340(COD)
Amendment 139 #
Proposal for a regulation
Recital 6
Recital 6
(6) There are techniques enabling privacy-friendly analyses on databases that contain personal data, such as anonymisation, pseudonymisation, differential privacy, generalisation, oruse of synthetic data, suppression and, randomisation or other state-of-the-art privacy preserving methods. Application of these privacy-enhancing technologies, together with comprehensive data protection approaches should ensure the safe re-use of personal data and commercially confidential business data for research, innovation and statistical purposes. In many cases this implies that the data use and re-use in this context can only be done in a secure processing environment set in place and supervised by the public sector. There is experience at Union level with such secure processing environments that are used for research on statistical microdata on the basis of Commission Regulation (EU) 557/2013 (39 ). In general, insofar as personal data are concerned, the processing of personal data should rely upon one or more of the grounds for processing provided in Article 6 of Regulation (EU) 2016/679. _________________ 39Commission Regulation (EU) 557/2013 of 17 June 2013 implementing Regulation (EC) No 223/2009 of the European Parliament and of the Council on European Statistics as regards access to confidential data for scientific purposes and repealing Commission Regulation (EC) No 831/2002 (OJ L 164, 18.6.2013, p. 16).
Amendment 151 #
Proposal for a regulation
Recital 11
Recital 11
(11) Conditions for re-use of protected data that apply to public sector bodies competent under national law to allow re- use, and which should be without prejudice to rights or obligations concerning access to such data, should be laid down. Those conditions should be non-discriminatory, proportionate and objectively justified, while not restricting competition. In particular, public sector bodies allowing re- use should have in place the technical means necessary to ensure the protection of rights and interests of third parties and be empowered to request the necessary information from the re-user. Conditions attached to the re-use of data should be limited to what is necessary to preserve the rights and interests of others in the data and the integrity of the information technology and communication systems of the public sector bodies. Public sector bodies should apply conditions which best serve the interests of the re-user without leading to a disproportionate effort for the public sector. Depending on the case at hand, before its transmission, personal data should be fully anonymised, so as to definitively not allow the identification of the data subjects, or data containing commercially confidential information modified in such a way that no confidential information is disclosed. Where provision of anonymised or modified data would not respond to the needs of the re-user, on- premise or remote re-use of the data within a secure processing environment could be permitted. Data analyses in such secure processing environments should be supervised by the public sector body, so as to protect the rights and interests of others. In particular, personal data should only be transmitted for re-use to a third party where a legal basis allows such transmission. The public sector body could make the use of such secure processing environment conditional on the signature by the re-user of a confidentiality agreement that prohibits the disclosure of any information that jeopardises the rights and interests of third parties that the re-user may have acquired despite the safeguards put in place. The public sector bodies, where relevant, should facilitate the re-use of data on the basis of consent of data subjects or permissions of legal persons on the re-use of data pertaining to them through adequate technical means. In this respect, the public sector body should support potential re-users in seeking such consent by establishing technical mechanisms that permit transmitting requests for consent from re-users, where practically feasible. No contact information should be given that allows re-users to contact data subjects or companies directly.
Amendment 162 #
Proposal for a regulation
Recital 15
Recital 15
(15) Furthermore, it isn order to preserve fair competition and an open market economy it is of utmost importantce to protect commercially sensitive data of non- personal nature, notably trade secrets, but also non-personal data representing content protected by intellectual property rights from unlawful access that may lead to IP theft or industrial espionage. In order to ensure the protection of fundamental rights or interests of data holders, non-personal data which is to be protected from unlawful or unauthorised access under Union or national law, and which is held by public sector bodies, should be transferred only to third-countries where appropriate safeguards for the use of data are provided. Such appropriate safeguards should be considered to exist when in that third- country there are equivalent measures in place which ensure that non-personal data benefits from a level of protection similar to that applicable by means of Union or national law in particular as regards the protection of trade secrets and the protection of intellectual property rights. To that end, the Commission may adopt implementingdelegated acts that declare that a third country provides a level of protection that is essentially equivalent to those provided by Union or national law. The assessment of the level of protection afforded in such third-country should, in particular, take into consideration the relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law concerning the access to and protection of non-personal data, any access by the public authorities of that third country to the data transferred, the existence and effective functioning of one or more independent supervisory authorities in the third country with responsibility for ensuring and enforcing compliance with the legal regime ensuring access to such data, or the third countries’ international commitments regarding the protection of data the third country concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems. The existence of effective legal remedies for data holders, public sector bodies or data sharing providers in the third country concerned is of particular importance in the context of the transfer of non-personal data to that third country. Such safeguards should therefore include the availability of enforceable rights and of effective legal remedies.
Amendment 167 #
Proposal for a regulation
Recital 16
Recital 16
(16) In cases where there is no implementingdelegated act adopted by the Commission in relation to a third country declaring that it provides a level of protection, in particular as regards the protection of commercially sensitive data and the protection of intellectual property rights, which is essentially equivalent to that provided by Union or national law, the public sector body should only transmit protected data to a re-user, if the re-user undertakes obligations in the interest of the protection of the data. The re-user that intends to transfer the data to such third country should commit to comply with the obligations laid out in this Regulation even after the data has been transferred to the third country. To ensure the proper enforcement of such obligations, the re- user should also accept the jurisdiction of the Member State of the public sector body that allowed the re-use for the judicial settlement of disputes.
Amendment 172 #
Proposal for a regulation
Recital 18
Recital 18
(18) In order to prevent unlawful access to non-personal data, public sector bodies, natural or legal persons to which the right to re-use data was granted, data sharing providers and entities entered in the register of recognised data altruism organisations should take all reasonable measures to prevent access to the systems where non-personal data is stored, including encryption of data, cybersecurity measures or corporate policies.
Amendment 178 #
Proposal for a regulation
Recital 19
Recital 19
(19) In order to build trust in re-use mechanisms, it may be necessary to attach stricter conditions for certain types of non- personal data that have been identified as highly sensitive, as regards the transfer to third countries, if such transfer could jeopardise public policy objectives, in line with international commitments. For example, in the health domain, certain datasets held by actors in the public health system, such as public hospitals, could be identified as highly sensitive health data. Other relevant sectors could be transport, energy, environment, telecommunications and finance. In order to ensure harmonised practices across the Union, such types of highly sensitive non-personal public data should be defined by Union law, for example in the context of the European Health Data Space or other sectoral legislation. The conditions attached to the transfer of such data to third countries should be laid down in delegated acts. Conditions should be proportionate, non- discriminatory and necessary to protect legitimate public policy objectives identified, such as the protection of public health, public order, safety, the environment, public morals, consumer protection, privacy and personal data protection. The conditions should correspond to the risks identified in relation to the sensitivity of such data, including in terms of the risk of the re- identification of individuals. These conditions could include terms applicable for the transfer or technical arrangements, such as the requirement of using a secure processing environment, limitations as regards the re-use of data in third-countries or categories of persons which are entitled to transfer such data to third countries or who can access the data in the third country. In exceptional cases they could also include restrictions on transfer of the data to third countries to protect the public interest.
Amendment 249 #
Proposal for a regulation
Recital 40
Recital 40
(40) In order to successfully implement the data governance framework, a European Data Innovation Board should be established, in the form of an expert group. The Board should consist of representatives of the Member States, the Commission and representatives of relevant data spaces and specific sectors (such as health, agriculture, transport and statistics). The European Data Protection Board should be invited to appoint a representative to the European Data Innovation Board. A data innovation advisory council should be established as a sub-group of the Board consisting of relevant representatives from industry, research, standardisation organisations and other relevant stakeholders. That council should support the work of the Board by providing advice relating to the exchange of data, and in particular on how to best protect commercially sensitive data of non-personal nature, notably trade secrets, but also non-personal data representing content protected by intellectual property rights from unlawful access that may lead to IP theft or industrial espionage.
Amendment 252 #
Proposal for a regulation
Recital 40
Recital 40
(40) In order to successfully implement the data governance framework, a European Data Innovation Board should be established, in the form of an expert group. The Board should consist of representatives of the Member States, the Commission and representatives of relevant data spaces and specific sectors (such as health, agriculture, transport and statistics) as well as representatives of academia, research and standard setting organisations, where relevant. The European Data Protection Board should be invited to appoint a representative to the European Data Innovation Board.
Amendment 255 #
Proposal for a regulation
Recital 40
Recital 40
(40) In order to successfully implement the data governance framework, a European Data Innovation Board should be established, in the form of an expert group. The Board should consist of representatives of the Member States, the Commission and representatives of relevant data spaces and specific sectors (such as health, energy, industrial manufacturing, agriculture, transport and statistics). The European Data Protection Board should be invited to appoint a representative to the European Data Innovation Board.
Amendment 262 #
Proposal for a regulation
Recital 41
Recital 41
(41) The Board should support the Commission in coordinating national practices and policies on the topics covered by this Regulation, and in supporting cross- sector data use by adhering to the European Interoperability Framework (EIF) principles and through the utilisation of European and international standards and specifications (such asincluding through the EU Multi-Stakeholder Platform for ICT Standardisation, the Core Vocabularies44 and the CEF Building Blocks45 ), without prejudice to standardisation work taking place in specific sectors or domains. Work on technical standardisation may include the identification of priorities for the development of standards and establishing and maintaining a set of technical and legal standards for transmitting data between two processing environments that allows data spaces to be organised without making recourse to an intermediary. The Board should cooperate with the Data Innovation Advisory Council, sectoral bodies, networks or expert groups, or other cross- sectoral organisations dealing with re-use of data. Regarding data altruism, the Board should assist the Commission in the development of the data altruism consent form, in consultation with the European Data Protection Board. _________________ 44 https://joinup.ec.europa.eu/collection/sema ntic-interoperability-community- semic/core-vocabularies 45 https://joinup.ec.europa.eu/collection/conn ecting-europe-facility-cef
Amendment 284 #
Proposal for a regulation
Article 1 – paragraph 2 a (new)
Article 1 – paragraph 2 a (new)
(2 a) This Regulation is without prejudice to Regulation (EU) 2016/679 of the European Parliament and of the Council, to Directive 2002/58/EC of the European Parliament and of the Council and Directive (EU) 2016/680 of the European Parliament and of the Council1a. This Regulation should in particular not be read as creating a new legal basis for the processing of personal data for any of the regulated activities. Its implementation should not prevent cross- border transfers of data in accordance with Chapter V of Regulation (EU) 2016/679 from taking place. _________________ 1aDirective (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. (OJ L 119, 4.5.2016, p. 89)
Amendment 326 #
Proposal for a regulation
Article 2 – paragraph 1 – point 10
Article 2 – paragraph 1 – point 10
(10) ‘data altruism’ means the consentvoluntary sharing of data by data subjects to process personal data pertaining to them, or permissions of other data holders to allow the use of their non- personal data without seeking or receiving a reward, for purposes of general interest, such as scientific research purposes, policy making or improving public services;
Amendment 336 #
Proposal for a regulation
Article 2 – paragraph 1 – point 14
Article 2 – paragraph 1 – point 14
(14) ‘secure processing environment’ means the physical or virtual environment and organisational means to provide the opportunity to re-use data in a manner ensuring compliance with applicable legislation that allows for the operator of the secure processing environment to determine and supervise all data processing actions, including to display, storage, download, export of the data and calculation of derivative data through computational algorithms.
Amendment 379 #
Proposal for a regulation
Article 5 – paragraph 4 – point a
Article 5 – paragraph 4 – point a
(a) to access and re-use the data within a secure processing environment provided andor controlled by the public sector ;
Amendment 385 #
Proposal for a regulation
Article 5 – paragraph 5
Article 5 – paragraph 5
(5) The public sector bodies shall impose conditions that preserve the integrity of the functioning of the technical systems of the secure processing environment used. The public sector body shall be able to verify any results of processing of data undertaken by the re- user and reserve the right, after giving the re-user the possibility to provide further information, to prohibit the use of results that contain information jeopardising the rights and interests of third parties.
Amendment 399 #
Proposal for a regulation
Article 5 – paragraph 9 – introductory part
Article 5 – paragraph 9 – introductory part
(9) The Commission may adopt implementingdelegated acts declaring that the legal, supervisory and enforcement arrangements of a third country:
Amendment 402 #
Proposal for a regulation
Article 5 – paragraph 9 – subparagraph 1
Article 5 – paragraph 9 – subparagraph 1
Those implementingdelegated acts shall be adopted in accordance with the advisory procedure referred to in Article 29 (2)8.
Amendment 440 #
Proposal for a regulation
Article 7 – paragraph 2 – point b
Article 7 – paragraph 2 – point b
(b) providing technical support in the application of tested techniques ensuring data processing in a manner that preserves privacy of the information contained in the data for which re-use is allowed, including techniques for pseudonymisation, anonymisation, generalisation, suppression and, randomisation of personal data or other state-of-the-art privacy preserving methods;
Amendment 446 #
Proposal for a regulation
Article 7 – paragraph 5
Article 7 – paragraph 5
(5) The Member States shall make public and communicate to the Commission the identity of the competent bodies designated pursuant to paragraph 1 by [date of application of this Regulation]. They shall also make public and communicate to the Commission any subsequent modification of the identity of those bodies.
Amendment 451 #
Proposal for a regulation
Article 8 – paragraph 2 a (new)
Article 8 – paragraph 2 a (new)
(2 a) The single information point may establish a separate, simplified and well- documented information channel for small and medium-sized enterprises (SMEs), addressing their needs and capabilities in requesting the re-use of the categories of data referred to in Article 3 (1).
Amendment 454 #
Proposal for a regulation
Article 8 – paragraph 3
Article 8 – paragraph 3
(3) Requests for the re-use of the categories of data referred to in Article 3 (1) shall be granted or refused by the competent public sector bodies or the competent bodies referred to in Article 7 (1) within a reasonable time, and in any case within two months from the date of the request. In order to contribute to a consistent application of this Regulation the competent public sector bodies shall cooperate with each other, and where relevant with the Commission, when refusing requests for re-use of the categories of data referred to in Article 3 (1).
Amendment 459 #
Proposal for a regulation
Article 9 – paragraph 1 – point b
Article 9 – paragraph 1 – point b
(b) intermediation services between data subjects that seek to make their personal data available and potential data users, including making available the technical or other means to enable such services, in the exercise of the rights provided in Regulation (EU) 2016/679, in particular managing the data subjects’ consent to data processing;
Amendment 490 #
Proposal for a regulation
Article 10 – paragraph 9
Article 10 – paragraph 9
(9) The competent authority shall notify the Commission of each new notification without delay and the Commission shall forward each notification to the national competent authorities of the Member States by electronic means. The Commission shall keep a register of providers of data sharing services.
Amendment 497 #
Proposal for a regulation
Article 10 – paragraph 10
Article 10 – paragraph 10
(10) The competent authority may charge fees. Such fees shall be proportionate and objective and be based on the administrative costs related to the monitoring of compliance and other market control activities of the competent authorities in relation to notifications of data sharing services. The competent authority may also charge discounted fees or allow free of charge notification for small and medium-sized enterprises (SMEs).
Amendment 499 #
Proposal for a regulation
Article 10 – paragraph 11
Article 10 – paragraph 11
(11) Where a provider of data sharing servicesdata intermediary ceases its activities, it shall notify the relevant competent authority determined pursuant to paragraphs 1, 2 and 3 within 15 days. The competent authority shall forward without delay each such notification to the Commission by electronic means. The Commission without delay shall forward each notification to the national competent authorities inof the Member States and to the Commission by electronic meansby electronic means and update the public register.
Amendment 519 #
Proposal for a regulation
Article 11 – paragraph 1 – point 8
Article 11 – paragraph 1 – point 8
(8) the providerdata intermediary shall take measures to ensure a high level of security, including state-of-the-art cybersecurity, for the storage and transmission of non- personal data; and the intermediary shall further ensure the highest level of security, including state-of-the-art cybersecurity, for the storage and transmission of competitively sensitive information; the data intermediary shall inform the competent authority without delay of any security breach that jeopardises the security of data.
Amendment 535 #
Proposal for a regulation
Article 12 – paragraph 3
Article 12 – paragraph 3
(3) The designated competent authorities, the data protection authorities, the national competition authorities, the authorities in charge of cybersecurity, and other relevant sectorial authorities shall exchange the information which is necessary for the exercise of their tasks in relation to data sharing providers and ensure consistency of the decisions taken in application of this directive.
Amendment 675 #
Proposal for a regulation
Article 26 – paragraph 2
Article 26 – paragraph 2
(2) Stakeholders and relevant third parties may be invitedThe Board shall establish a Data Innovation Advisory Council (the “Advisory Council”). The Advisory Council shall be composed of relevant representatives from industry, SMEs, research, standardisation organisations and other relevant stakeholders and third parties invited from all Member States to maintain geographically balanced representativeness. The Advisory Council shall nominate a representative to attend meetings of the Board and to participate in its work.
Amendment 693 #
Proposal for a regulation
Article 27 – paragraph 1 – point b a (new)
Article 27 – paragraph 1 – point b a (new)
(b a) to advise and assist the Commission in developing consistent guidelines on how to best protect, in the context of this Regulation, commercially sensitive data of non-personal nature, notably trade secrets, but also non- personal data representing content protected by intellectual property rights from unlawful access that may lead to IP theft or industrial espionage.
Amendment 708 #
Proposal for a regulation
Article 27 – paragraph 1 – point e
Article 27 – paragraph 1 – point e
(e) to facilitate the cooperation between national competent authorities, the Commission and other European and international bodies under this Regulation through capacity- building and the exchange of information, in particular by establishing methods for the efficient exchange of information relating to the notification procedure for data sharing service providers and the registration and monitoring of recognised data altruism organisations.