Momentous development in EU law for the digital market: the EU Commission is expected to publish today the #DataGovernanceAct proposal for a Regulation. From a new European Board, to fiduciary duties, to data intermediaries, data cooperatives (!) and data altruism… 1/
There are plenty of things to look out for! Here is my top list of hot topics, based on the leaked version that circulated among Brussels tech media a couple of weeks back. First: lots of “data sovereignty” undertones to key rules, sometimes sliding into data localization … 2/n
Exhibit A: The title regulating the re-use of data held by public sector bodies allows such re-use by different actors “within the Union”, with an additional specification that “the processing of such data shall be limited to the European Union” 3/
Exhibit B: Data intermediaries, sometimes known as data trusts, but officially labeled under the leaked proposal ‘Providers of Data Sharing Services’ must be established within the Union or EEA if they want to be authorized for data intermediary services 4/n
Exhibit C: Entities engaging in data collection on the basis of data altruism must either be established in the EU or EEA, or be an international organization subject to lawful data transfers under the GDPR. In short, these data sovereignty undertones are worth following 5/n
The Providers of Data Sharing Services will have an interesting array of services they can provide: Supporting ‘data holders’ (e.g. a company holding data) to make their data available to users; supporting data subjects with their #GDPR requests and creating data spaces …6/n
And services related to the creation of “data cooperatives”, which would allow a group of data subjects to collectively exercise their GDPR rights; Side note: it’s the first time I’m hearing of data cooperatives! If you’ve heard of them or know any research, please share! 7/
Remarkably, the draft regulation will likely introduce a fiduciary duty of the data intermediary with regard to the data subject. In this particular scenario, a #FiduciaryDuty might make sense indeed, as opposed to other data processing scenarios 8/n
There are many other noteworthy aspects to this draft Proposal. Really, do keep your eyes on it. Its interaction with the GDPR is fascinating. While the GDPR is often referred to in provisions, its vocabulary has not been transposed. 9/n
e.g., there are no controllers & processors here, but data holders & data users; the Regulation also refers to “joint exploitation of data” which probably will trigger alarm bells with the EDPS, EDPB, advocates. It also has references to specific anonymization techniques 10/n
It specifically integrates GDPR rules on lawful grounds for processing, especially when it comes to sensitive data, and on withdrawal of consent when it comes to data altruism. But, in any case, keep in mind that the proposal covers BOTH personal and non-personal data 11/n
One interesting bit: it seems we will have a new European Board, this time a European Data Innovation Board! The Commission is not taking any more risks and seems to want to keep it under its wing, even though it will have representatives of Member States as members 12/n
Some after thoughts: this type of data regulations are the ultimate test for data protection law: how strong is it? Is it really up to be the necessary “rules of the road” on this new "data highway"? But most of all, they will reveal the tension btwn data protection & privacy 13/
All in all, fascinating developments. All of the info above came from a leak published by Politico a couple of weeks back, so let’s see how the Proposal actually looks like. Looking forward to the debates! And all your input friends! 14/END
Massive UDPATE: Here is the link to the official proposal! Now time to do some reading, folks! (& keep in mind the EU legislative process is a complicated mammoth. This is just the first steps, many mountains to climb after it!) ec.europa.eu/digital-single…
• • •
Missing some Tweet in this thread? You can try to
force a refresh
... within the federalized legal system, where consumer protection agencies, big and small, have a strong tradition of enforcing consumer rights, where Prosecutors from the Public Ministry - federal and regional, have the power to bring #LGPD breaches to Court ... 2/n
... where there is a long tradition of class actions, with actually very few barriers to proceed in Court from an admissibility and costs perspective, where the Supreme Constitutional Court recognized this year an autonomous fundamental right to data protection... 3/n
The CJEU clearly upheld its string of serious data protection cases against gov access to personal data, starting with Digital Rights Ireland, then Schrems I, then Tele2Sverige, EU-Canada PNR Opinion. If you knew those decisions, the outcome of the PS assessment is no surprise.
The surprise was that the Court decided to go full strength on in this particular case, after the AG has given it a way out to postpone the assessment of the PS and focus on SCCs. Clearly, the Court saw an inextricable link between the two. The other option would have been...
to show the weaknesses of the Privacy Shield and give the Commission and the US government time to act/react, while sharpening Commission's attention to the rest of the world too, with Chinese-based apps taking more and more of the European market very recently.
Worrying news from Brazil 🇧🇷 The Fake News bill being discussed by Congress imposes mandatory social media account ID registration (!) and seems to be aiming to strict data localization and data retention obligations. 1/5 #LGPD#GDPR#privacy
If you thought mandatory SIM card registration is bad, this is worse. All social media users would have to provide valid Brazilian ID or passports if they’re foreigners & a Brazilian phone number to be able to open a user account. 2/5
It also aims to impose data retention obligations for internet connection logs (!) for 1 year by ISPs and 6 months by online applications. Plans for EU Adequacy post-LGPD may be … problematic. See CJEU in Digital Rights Ireland curia.europa.eu/juris/document… 3/5 #dataretention#GDPR
Andrea Jelinek, Chair of @EU_EDPB, said there are currently 70 cross-border cases w final decisions, proving that OSS works; ‘these are not spectacular cases in terms of fines’ though #CPDP2020#OneStopShop#GDPR
Most of these +70 cases are related to the rights of the data subject (erasure & access), followwd by cases related to data breach notifications.
One of the main challenges for smooth functioning of OSS are differences in national peocedural laws. ‘Resolution of cross border cases is time & resource consuming & intensive’ #CPDP2020
I still can't stop being amazed by the 1973 HEW Report, which recommended a US Federal Code for Fair Information Practice. Check this out - it recommended all those goodies that are currently a GDPR trademark, starting with having some sort of DPO in place 1/ :
Have data security measures in place and only share personal data with third parties after ensuring the third party has appropriate safeguards in place 2/
And it even recognized some sort of portability rights. Yes, #portability! 3/
With my last drop of CJEU judgments brainpower for the week, here are some key points from the global takedown of #Facebook defamatory comments case published yesterday #Glawischnig Long thread alert! 1/x curia.europa.eu/juris/document…
Setting the scene: this is not a data protection or #privacy case. This is a case concerning deletion of information, but grounded on defamation. It is irrelevant for the case at hand that those comments contained personal data, even if they did. 2/
Fun fact: the #GDPR specifically excludes from its scope of application those situations which also fall under the scope of liability rules for intermediary service providers, Art 12 to 15 from eCommerce Directive, precisely what the CJEU was asked to interpret. 3/