.svg)
Industry associations in the banking and tech sector have released a joint statement regarding concerns over proposed access to data by public authorities.
Trade associations including the European Banking Federation, European Savings and Retail Banking Group and techUK have called on EU policymakers to ensure that unrestricted access to data by public bodies is not legalised in the incoming Data Act.
The joint statement says that access to data by public bodies is “a double-edge tool to use with caution and restraint”.
The European Commission first proposed the Data Act in February 2022.
The proposal encompasses new rules on who can use and access data generated in the EU across all economic sectors.
The commission also suggested that it will ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all.
Vague wording
“In times of crisis, companies stand ready to do their part and help public bodies by sharing data to tackle public emergencies, as evidenced during the COVID-19 pandemic,” the statement says. “However, to function, mandatory data sharing between private companies and governments needs clear and transparent conditions for all parties involved.”
Chapter V of the Data Act proposal was developed on this basis, setting an obligation for companies to make any data available to public bodies, but the associations believe it does so by loosely referring to various cases of "exceptional need".
The proposed framework includes collecting data to prevent, respond to and recover from a public emergency but also fulfilling one of the public sector body’s tasks where the lack of data would prevent it from doing so.
“The latter can be interpreted as any activity carried out by a public institution,” the statement says.
The proposed rules would mean that any public body, at EU, national, regional or local level, could request any type of data, including personal data, from any data holder, for any reason.
“We believe these rules do not respect the requirements set out in the EU’s Charter of Fundamental Rights,” says the statement. “With such a broad scope, there is a risk that personal or sensitive data will be leaked or misused.”
The associations argue that public emergencies are by nature time sensitive, and that they require a clear and structured legal framework to prepare for secure transfers that fully respect data protection.
However, contrary to other parts of the Data Act, Chapter V covers any type of data, without any differentiation, limitation or exception.
The trade associations also express concern that the data’s intended use and its duration are also left to be defined by the public bodies themselves, and say that the proposal also fails to recognise existing frameworks for data sharing and reporting obligations.
“We strongly encourage Council and Parliament to implement the necessary safeguards and limits to protect the rule of law in Europe,” the associations say.
Although the Parliament’s attempts to set certain limits, such as restricting Chapter V to non-personal data, limiting public authorities’ power to freely ask for data when it is simply convenient and regardless of proportionality, and by setting rules for certain information to be specified in the requests are welcomed, they state that “this will not be enough”.
The associations recommend “at least” that only public emergencies can give rise to data access, calling for Article 15(c) of the regulation to be deleted, and they further state that personal data cannot be in scope of Chapter V.
“No exceptions,” the statement says.
Meanwhile, the lobby groups say that categories of public bodies that can request data must be expressly designated, and access requests conditions must be strengthened, with transparency regarding data use and protective measures.
“We trust that EU policymakers will take the time to build a clear and proportionate framework that does not allow unrestricted access to any data on shaky grounds, but will on the contrary protect fundamental rights and the rule of law,” says the statement.
Others are worried too
Earlier this month, trade associations in the crypto and digital finance space, such as Blockchain for Europe, the Association for the Development of Crypto-Assets and the Digital Currencies Governance Group, also submitted a joint statement on the Data Act.
They were particularly concerned about the impact on smart contracts.
Smart contracts are code written into a blockchain that executes the terms of an agreement or contract from outside the chain.
It automates the actions that would otherwise be completed by the parties in the agreement, which removes the need for both parties to trust each other.
“We are concerned that the current scope and wording of the Data Act may inadvertently encompass smart contracts based on DLT, which by their inherent nature and design, may prove difficult or even impossible to comply with certain requirements.”
The associations suggest that the proposal may hinder the development of this novel technology.
In addition, they caution that this is particularly relevant for smart contracts based on decentralised DLT infrastructures, which constitute the overwhelming majority of smart contracts deployed and used now.
“For these reasons, we ask the co-legislators to clarify that the Data Act does not cover DLT-based smart contracts in the domain of IoT [internet of things] data sharing.”
