Data Act vs GDPR: Industry Representatives Warn of Conflicts and Call for a Level Playing Field
27th April 2023. Brussels, Belgium: IAB Europe, the leading European-level association for the digital advertising and marketing ecosystem, signed today a letter to policymakers on the Data Act with fellow European-level Industry Trade Associations including the Advertising Information Group (AIG), the Federation of European Data and Marketing (FEDMA), The European Confederation of Pharmaceutical Entrepreneurs (EUCOPE) and SMEUnited and its National Digital Advertising Association members including Alliance Digitale (IAB France), BVDW, IAB Ireland, IAB Poland, IAB Spain, and IAB Sweden.
The letter, sent to several Members of the European Parliament, the Swedish Presidency, and Commissioner Mr. Breton, warns of potential conflicts between the Data Act and the GDPR, emphasising the importance of ensuring a fair playing field. In particular, the letter expresses signatories’ concerns about the European Commission’s original proposal and the Council’s position on Article 6.2 (b) that clearly interfere with the GDPR and would lead to unintended consequences that will work against achieving a level playing field and impede innovation.
The signatories made a recommendation to policymakers involved in the trilogue negotiations to ensure that the Data Act aligns with the GDPR by supporting the text adopted by Parliament concerning article 6.2 (b). Furthermore, they urged policymakers to ensure that the provisions set out in the GDPR, including safeguards to user privacy, prevail for the processing of personal data. Granting that the current EU data protection legal framework will secure a future-proof Data Act text, welcoming competition, growth in the digital economy and future innovations instead of ruling them out from the outset.
The full letter can be viewed on IAB Europe’s website here and below.
Date: 27 April 2023
Dear MEP Ms del Castillo and MEP Mr Lagodinsky, MEP Mr Bielan, MEP Mr García del Blanco, MEP Ms Kumpula-Natri, MEP Ms de la Pisa Carrión, MEP Mr Mituța, MEP Mr Boeselager, MEP Ms Lizzi, MEP Ms Kontoura,
Dear Ms Björesten and Mr Källström,
Dear Commissioner Mr Breton,
Industry representatives warn of potential conflicts between Data Act and GDPR and emphasise the importance of ensuring a fair playing field ahead of the trilogue negotiations.
We are a group of diverse stakeholders, including SMEs, representing different industries within the business community, including digital advertising and marketing. As the institutions enter trilogue negotiations on the proposal for a regulation on the harmonised rules on fair access to and use of data (the “Data Act”), we would like to reiterate our concerns about the potential unintended consequences of Article 6.2 (b). These concerns apply to the wording in the European Commission’s original proposal and the Council’s position that clearly interfere with the GDPR and work against achieving a level playing field and impede innovation.
Regarding the Council’s changes to Article 6.2. (b), we fear that the scope of action for third parties is unjustifiably restricted by adding ambiguity to what constitutes an “objectively necessary” service and allowing profiling solely for the purpose of service delivery. Lack of legal certainty in the already complex digital world will trigger reticence to innovate for fear of a sanction.
While we support the changes proposed by the European Parliament for Articles 6. 2 (b) and 6.2 (c), we point out that the current wording of Article 5 (1) contradicts Article 6.2 (b) by adding an indicative list of limited purposes for data processing. On the contrary, we believe that the Data Act should be flexible and future-proof, welcoming future innovations instead of ruling them out from the outset.
The Data Act interferes with the GDPR and eliminates the legal basis of processing for third parties
By effectively prohibiting practices that are fully compliant with the GDPR in Article 6.2 (b), the Data Act substantially undermines the existing data protection framework (GDPR) and its core principle that processing of personal data is permitted so long as it relies on one of the six legal bases.
Germany’s statement on 12 January 2023 proposed to remove Article 6.2 (b) from the Data Act, arguing that “the GDPR and the sector-specific data protection law must not be circumvented and their level of protection must be maintained”. We agree that the Data Act should establish norms for a coherent legal framework and should align with the GDPR’s legal basis, as stated also in Article 1.3 of the Data Act, to ensure that the European data protection legal framework, especially the GDPR, remains applicable.
Circumventing the GDPR with a set of contradicting provisions would create commercial and legal uncertainty for entities that have adapted to its rules and strip them of the possibility to legally process personal data for profiling purposes. Additionally, due to a very broad definition of profiling that is still being interpreted by Data Protection Authorities and Courts, the magnitude of such prohibition is well underestimated and will outlaw longstanding and widely accepted processing activities in all industry sectors.
This can be also illustrated by the following example in the energy sector:
A connected product, such as an electricity meter, collects data through the use of its product. The data is then made available to the user through a third-party user-facing interface. Such an interface assists the user and facilitates his/her decision-making, for example by answering questions, such as “How much energy am I consuming per month?”. The possibility to answer this question relies on profiling operations related to the user’s activities and the use of the electricity meter. The prohibition of profiling would ultimately prevent device manufacturers from exploring lawful partnerships with
trusted third parties. The possibilities to enhance their products by offering customised, value-added services to consumers by handling personal and non-personal data would be significantly curtailed.
Current provisions of the Data Act fail to ensure a level playing field and are in contrast with the regulation’s aim to foster innovation and economic growth
The main issue lies in the differential treatment of the “data holder” who is allowed to carry out profiling activities, compared to the “data recipient”, who is prohibited from doing so under Article 6.2 (b) of the Data Act.
This discrepancy could favour vertically integrated enterprises that already hold large amounts of data, aggravating data concentration, and enabling such enterprises to leverage further their integration and their data, including for profiling purposes.
The Data Act aims to facilitate new and innovative uses of existing data. However, some businesses, which rely on the lawful processing of data for profiling , could be affected by Article 6.2 (b) of the Data Act. This could limit their ability to use data, create and train algorithms, which could have negative consequences not only for incubators of high-end digital skills but also SMEs that support the wider EU economy. Widespread data sharing allows SMEs to leverage customer data and provide efficient services and goods tailored to customer’s needs. Hence, the Data Act is crucial for SMEs’ willingness to access and process data and to allow new, innovative SMEs to emerge, grow and scale up. As highlighted above, such developments cannot be in line with EU’s competition goals and threaten the diversity of the digital economy.
Given the potential impact of the Data Act on the digital economy and data-driven innovation, we believe it is crucial for policymakers to support the text adopted by Parliament regarding article 6.2 (b). Specifically, we recommend that policymakers ensure that the Data Act aligns with the GDPR and that it enables, rather than undermines, new data-driven business models and supply chains. In order to deliver pro-competitive outcomes, it is important for service providers, including commercial partnerships acting as third parties, to be able to continue to rely on the relevant GDPR legal bases when processing personal data for the purposes of profiling. Only these prerequisites will ensure that the EU’s regulatory framework promotes innovation, competition, and growth in the digital economy while maintaining user privacy and data protection. We therefore urge co-legislators to take these considerations during the trilogue negotiations on the Data Act.
Press contact: Helen Mussard, IAB Europe – firstname.lastname@example.org
- Radosavljevic, Z., (19 January 2023), “Germany’s position on the Data Act”. EURACTIV. https://www.euractiv.com/section/data-privacy/news/germanys-position-on-the-data-act/
- As an example,The EDPB Guidelines on automated individual decision-making and profiling for the purposes of GDPR acknowledged the benefits for individuals and organisations of automated decision-making including the increased efficiencies and resource savings, https://ec.europa.eu/newsroom/article29/items/612053