On November 24, 2022, was held the webinar “UK and EU between data economy and protection of rights: conflicts and opportunities” organized by Officine Dati. The UK is discussing the reform of the UKGDPR, the transposition of the post-Brexit EU regulation into national law. The aim of the discussion was to do a ” review” of the GDPR, by going through the public criticisms made of the Union’s data protection framework, in order to check its objective validity, such that changes to the current regulatory framework are suggested.
During the roundtable discussion, where the complexity of possible legislative changes was unanimously noted, given the intricate compromise procedure for drafting legislation within the EU, Professor Gianclaudio Malgieri pointed out that the European legislator is already intervening with “lateral” changes to the corpus of the GDPR, through the implementation of the EU Digital Strategy.
EU digital strategy
Although the EU Digital Strategy was launched in 2020, it can be said to have originated from earlier, including the data protection framework package. In this regard, to date, the EU digital strategy can be distinguished into 5 main phases:
- the protection of personal data rights
- the free use of non-personal data
- the regulation of the digital marketplace
- the sharing of personal data and the creation of common data spaces
- the vertical disciplines of data related to advanced technologies.
1. Protection of personal data rights
The first phase – from 2012-2018 – covers the package of regulations with the aim of protecting the fundamental rights and freedoms of data subjects, in relation to personal data concerning them. Included therein are the GDPR (2016/679) and EUDPR (2018/1725) regulations – the latter addressed to EU institutions – the Directive on the Processing of Personal Data for Police Purposes (2016/680), as well as the proposed e-Privacy Regulation, of whose legislative process we are unable to make predictions about its conclusion. In all of these regulations, general principles and rules of protection are outlined in order to enable the use of personal data for the specific purposes set forth therein: that is, principles and rules are instrumental to the lawful use of personal data. The enactment into law of the e-Privacy Regulation will conclude the package of rules in this area.
2. Free use of non-personal data
Having essentially completed the regulatory platform of the protection of rights, while respecting the anthropocentric and value-driven political dimension of the digital world that characterizes the EU, in 2018-2019 we moved on to address the other aspect of the data protection-use dichotomy: there was a primary focus on non-personal data; rules were introduced for the free flows of these data within the EU with the removal of potential boundaries (Free Flow Regulation (2018/1807) as well as the free reuse of non-personal data held by the public sector for public interest purposes (“Open Data” Directive 2019/1024).
3. Regulation of the digital marketplace
Third, within 2022, the European Union then moved on to regulate the digital market to counter monopoly positions or abuse of dominant position of the so-called “gatekeepers,” i.e., large online platforms, such as technology companies providing very large online search engines (DMA 2022/1925), in addition to regulating the provision of digital services (DSA 2022/2065).
4. Sharing of personal data
Also in 2022, the Union laid the groundwork for the sharing of personal data by enacting the Data Governance Act (DGA 2022/868) aimed at the establishment of so-called “common data spaces” of which, the first proposed framework is the future Euopean Health Data Space Regulation, issued by the Commission. The solution identified by the Commission to facilitate such sharing while complying with the requirements of the GDPR was to provide for the establishment of the new figures of data brokers, a kind of clearinghouses between data supply and demand, enabling “many-to-many” transactions in this area. In short, data subjects on a voluntary basis specify to intermediaries the conditions under which certain personal data about them can be shared with third parties for certain purposes. Intermediaries, independent and trustworthy bodies subject to notification to the authority, are responsible for verifying compliance with the conditions dictated by data subjects on the part of potential users as well as for providing data subjects with mechanisms for their easy control. Along with intermediaries, the DGA also provides for data altruism bodies, nonprofit entities subject to registration with the authority, which facilitate the use of data subjects‘ personal data for purposes of collective interest.
The proposed regulation on the European Health Data Space, along the lines of the DGA, regulates both the case of primary use of such data-essentially for purposes of treatment of the data subject–patient-and secondary use, that is, for purposes beyond the original purpose. The proposal is currently under discussion in the EU Council while the legislative process has not yet begun in Parliament.
The involvement of specific intermediaries – to whom the data subject communicates his or her decisions on the use of his or her health data –along with the establishment of appropriate dashboards for direct control over the use of the data, facilitates the reuse of health data for scientific research purposes founded on the legal basis of legitimate interest, thus overcoming the need to resort to patient consent.
5. Vertical disciplines on advanced technology-related data
The last phase recalled concerns the proposed legislation referring to data, personal and non-personal, related to the use of special technologies: such as the proposed EU Artificial Intelligence Act (AIA) and the proposed Data Act (presented in February 2022); the latter deals with the use of data collected through Internet of Things technologies, as well as providing for balanced data sharing arrangements for SMEs, the elimination of barriers to data porting in cloud services as well as obligations for companies to provide certain data under certain key conditions. These acts are currently at the proposal level: for both the AIA and the Data Act, discussions are underway in the EU Council to approve the text at first reading; while the EU Parliament has yet to begin its process.