
Is data protection going astray?
EU Commission proposes a data governance regulation.
Dr. S-W – 03/2021
You occasionally hear a joking comparison
about how personal data is handled at conventions. The question is: who owns my
data? The market in the USA. The company in China. Myself in Europe.
Now, Europe is well on the way to following
the American example. In any case the EU Commission's draft "Data
governance regulation" of November 25, 2020 shows which way we are going.
Being a horizontal policy, it lays down the principles for both the secondary
use and reusing of protected data, including social and health data that is
controlled by public authorities and regardless of the original purpose for
collecting this data. This can essentially be summarised as facilitating
third-party access to social and patient data. For example, this data can then
benefit R&D work that improves planning and care in the interests of the
insured.
The
problem here is that the legal ramifications are not limited to this. Third
parties pursuing purely commercial purposes should also be able to access the
data. Although the regulation does not establish an independent "right of
access", but prohibits discrimination with regard to potential data
recipients. In the interest of an open internal data market, disclosure of
sensitive data by the administration would become the rule, whilst refusal of
access will become an exception requiring justification.
The Commission launched a public
consultation at the same time as it published the draft COM (2020) 767 final
regulation. The leading German Social Insurance organisations took the opportunity
to present their position. In their reply, they welcome the creation of
European Data Spaces. It now remains to be clarified who may enter them, for
what purpose and what duties of care the user must fulfil. In order to ensure
trustworthy handling of public data and especially social data, the umbrella
organisations propose specific amendments to the draft regulation, see the DSV
opinion here.
The focus is on protecting the trust of the
affected persons and that the use of their data will be limited to the minimum
needed to fulfil the purpose of collection and that secondary use will also be
within the scope of a clearly defined and limited care and administrative
mandate.
It appears that the Commission is now
planning to publish a revised version of the proposed regulation. The umbrella
organisations will closely follow the Commission’s course of action.