Data Act Message – Legitimacy of the Data Processing and Consistency of Data Protection

Data Act Blog Post Series

The proposed Data Act might lower the level of personal data protection law by giving more legitimacy to profit-driven personal data processing. It might also be inconsistent with the goals of the GDPR, precluding consistent application of both laws.

1. Consistency of the EU digital policy

There is an increase in laws impacting personal data processing. The GDPR is the most important law protecting personal data, but the impact of the Law Enforcement Directive, the future ePrivacy Regulation, and the Data Governance Act is not negligible. The most recent law is the proposal for the Data Act, which might significantly change the data protection predicament. Unfortunately, current personal data protection law is not perfect, and Data Act as it is now will not help. Although the Data Act stipulates that any processing of personal data ought to be conducted according to the rules under the GDPR, the overall message is different. From processing personal data only when necessary, as stated in the GDPR, to processing all kinds of data to innovate and create economic growth in the Data Act.

Although the draft Data Act stipulates that it is consistent with the GDPR, their goals and respective approach contradict one another to such a degree that their simultaneous application will be challenging. In addition, due to its goal of maximizing data sharing, data portability, and value creation, the Data Act is in axiological opposition to GDPR (The criticism raised by the EDPB regarding the Data Governance Act, but applicable to the draft Data Act as well due to both new laws goal to maximize data sharing). It raises the question of how the Data Act changes what is considered legitimate personal data processing under GDPR.

2. Privacy and the Economic Growth Conundrum

As a principal personal data protection regulation, the GDPR is a bulwark of personal data protection law. It focuses on fundamental rights protection. Therefore, personal data processing is limited to the extent that it is lawful and legitimate. In the GDPR context, lawfulness and legitimacy mean complying with personal data protection law and finding a balance between potential detriment and risks to fundamental rights caused by processing and the rights and interests of parties processing data. In case of doubt, the data subject’s interest prevails since fundamental rights protection is a priority—this can be considered one of the GDPR tenets. The free flow of personal data—the second objective of the GDPR—is subordinate.

GDPR message is that the processing of personal data is inherently risky, so we ought to process personal data to the extent strictly necessary for justified purposes.

On the other hand, the draft Data Act message is that we should process as much data as possible to create economic growth while complying with personal data protection law. However, what may be lost is the substance of personal data protection law, given so many contradicting regulatory goals. Therefore data protection compliance in the draft Data Act may not necessarily mean compliance with the data protection spirit. How otherwise to maximize the economic benefit of data processing while obeying GDPR’s spirit, which requires limiting personal data processing, while maximizing economic benefit usually requires its increase.

Thus, after the entry into force of the Data Act, the meaning of legitimacy of processing data, including personal data, might be understood differently than now. Most of the regulations and discourse surrounding data and personal data processing used to focus on privacy and personal data protection. However, at the moment, the draft Data Act indirectly introduces the right to conduct a business as a more prominent lens to evaluate the overall legitimacy of the processing since it encourages more personal data processing while the GDPR discourages it. Such focus directly impacts the balancing of conflicting rights and data protection culture.

That is because the stated objectives of the draft Data Act are, according to the EU Commission’s Data Strategy, to create an open and competitive digital economy based on data. The draft Data Act plays an important role in pursuing this goal by obliging private sector entities to share data with third parties on a much larger scale and setting up legal frameworks for data sharing. Moreover, although the draft Data Act stipulates its subjugation to the GDPR regarding personal data processing, these new rules create a new context for such data processing, which is significant.

3. More Data Processed Means More Controllers’ Responsibility

Whether data is personal is context dependent. Given how easy it is to identify someone using enough computing power and analytical tools, a significant volume of data flows caused by the draft Data Act will be personal data. More controllers will process much more personal data since the new legislation encourages it.

Thus, given the aim of the draft Data Act to radically increase the volumes of data flows, a controller’s judgment on whether data is personal or not is more important than before. Lawyers, especially data protection scholars, fancy discussing and devising theories around what constitutes personal data. However, in practice, it is up to the controller’s decision whether data is personal or not in a given context.

This new situation means that there will be more conflicts regarding opposing rights and interests related to personal data processing. Moreover, interests pursued on behalf of the controller, especially in the context of the right to conduct business, may obtain new legitimacy claims to justify processing. They will be derived from the normative content and discursive context of new “data freedom” laws, such as the Data Act. It may be a situation similar to how we now consider search engines’ freedom to legitimately process personal data (unless the right to erasure/object is claimed), which was confirmed in Google Spain. We now consider search engines essential and personal data processing the condition for the provision of their services. The same process might occur with the development of the products and services caused by the Data Act introduction—perhaps to the detriment of our rights.

4. A Risk In Itself to Data Protection

Therefore, the cultural and discursive context for privacy and data protection at a given time cannot be underestimated when foreseeing the effects of given new legislation on further legal interpretation. It brings us to an important distinction between law in the books, and law in practice.The Data Act may push the balance in the EU from focusing on fundamental rights protection, especially privacy, more to the practicalities of conducting business and a need for economic growth. Therefore, when evaluating the legitimacy of data processing as a principle in the GDPR, the balance may be switched from whether the controller should process personal data in a given situation to whether the context of the processing and safeguards introduced are enough to justify the processing. It means that we may move in practice from strict necessity tests for personal data processing to appropriateness or acceptability of processing test. It is a bleak scenario for our privacy.