On May 4, 2022, EDPB-EDPS issued their Joint Opinion 2/2022 on the Proposal of the European Parliament and of the Council on harmonised rules on fair access to and use of data (Data Act)

With this Joint Opinion, the EDPB and the EDPS aim to draw attention to a number of overarching concerns on the Proposal on Data Act and urge the co-legislature to take decisive action.

The EDPB and EDPS note that the Proposal would apply to a broad range of products and services, including the connected objects (‘Internet of Things’), medical or health devices and virtual assistants. Certain products and services may even process special categories of personal data, such as data concerning health or biometric data.

As the Proposal does not explicitly exclude certain types of data of data from its scope, data revealing highly sensitive information about individuals could become the object of data sharing and use according to the rules established in the Proposal.

While welcoming the efforts made to ensure that the Proposal does not affect the current data protection framework, the EDPB and the EDPS consider that additional safeguards are necessary to avoid lowering the protection of the fundamental rights to privacy and to the protection of personal data in practice.

First, additional safeguards are especially necessary as the rights to access, use and share data under the Proposal would likely extend to entities other than the data subjects, including businesses, depending on the legal title under which the device is being used. Second, the EDPB and EDPS are deeply concerned by the provisions of the Proposal regarding the obligation to make data available to public sector bodies and Union institutions, agencies or bodies in case of “exceptional need”. Finally, the EDPB and the EDPS are concerned that the oversight mechanism established by the Proposal may lead to fragmented and incoherent supervision.