On 18 November 2021, the European Data Protection Board (EDPB) adopted a statement (the Statement) on the recent legislative proposals issued as part of the European Commission’s Digital Services Package and Data Strategy.

The EDPB refers in particular to the four proposed pieces of legislation, namely, the Digital Services Act (DSA), Digital Markets Act (DMA), the Data Governance Act (DGA) and Regulation on a European approach for Artificial Intelligence (AIR), as well as the Data Act, expected in early 2022 (together, the Proposed Legislation).

Whereas the combined effect of the Proposed Legislation on the fundamental right to privacy and to protection of personal data is significant, the Proposed Legislation, in the EDPB’s view, does not include sufficient safeguards to the rights and freedoms of individuals, will introduce fragmented supervision over data processing and creates the risk of inconsistent requirements. The EDPB expects that, unless amended, the Proposed Legislation will negatively impact the rights of individuals, undermine the existing and future legal frameworks for data protection and hamper innovation.

The EDPB points to its previous opinions and statements issued about each of these legislative proposals and calls for a holistic view on their impact on fundamental rights of individuals and the society. The EDPB recommends that the European Commission clearly states in each of the proposals that they should not affect or undermine the application of existing data protection rules, as well as ensure that these rules prevail whenever personal data are being processed. The EDPB further names several examples of unfortunate, from its point of view, requirements in the Proposed Legislation and makes several recommendations on how to improve the proposals as way forward.

• the AIR proposal should include a prohibition on the use of AI systems that categorise individuals based on biometrics according to ethnicity, gender, political or sexual orientation or other discriminatory grounds. Likewise, the use of AI for automated recognition of human features in public spaces should be prohibited;
• the use of AI to infer emotions of a natural person should also be prohibited under the AIR, except under certain conditions in some well-defined cases (for instance, they cite examples of health and research purposes) where safeguards are in place;
• in the DSA proposal, online targeted advertising that relies on pervasive tracking should be prohibited following a transition period and substituted by less intrusive techniques that do not involve tracking users’ interaction with content, whilst the profiling of children should be completely prohibited;
• interoperability requirements should be introduced in the DSA and DMA to promote competition and provide users with a wider choice of services that offer better privacy and data protection; and
• provisions on supervisory authorities are aligned. Without this, the Proposed Legislation risks creating fragmented supervision with overlapping competences of supervisory bodies and authorities over the same entities, while failing to establish a framework for structured cooperation between various competent authorities. Each of these proposals should, therefore, clearly designate data protection supervisory authorities among the relevant competent authorities, establish the rules for cooperation and information sharing between all authorities (such as on the outcomes of audits and investigations) and provide an explicit legal basis for the exchange of information necessary for effective cooperation.

The Statement further comments on the proposal for a ‘Data Act’ that the European Commission is expected to present in early 2022. The EDPB reiterates its earlier position that any upcoming proposals which may have an impact on the protection of personal data must uphold the respect to and application of the existing EU law on personal data protection.

The EDPB also recommended that the Data Act and any other forthcoming legislative proposals define specific data protection safeguards at the outset, in particular data minimisation, purpose limitation and transparency, clearly specify which data may be processed, for which purposes and for how long, clarify the parties with whom personal data may be shared and take into account the processing of special categories such as health data. Proposals relating to connected objects (such as the Internet of Things or Internet of Bodies) should include direct obligations of data protection by design and by default.

In relation to processing for scientific research purposes, the EDPB mentions that lawful, responsible and ethical data management (including vetting requirements for researches with access to large amount to potentially sensitive personal data) should be set out in the proposals.

Read The Statement on the Digital Services Package and Data Strategy.