The Czech EU Presidency of the EU Council has proposed a partial compromise on the Data Act, defining the scope and protections of Chapter V.
Prague aims to forward the discussion over the proposed Data Act by reaching an agreement on the ability of public agencies to demand access to privately owned data. According to this report from Euractiv, with regard to Chapter V of the Data Act, which is meant to specify the circumstances in which public entities may request access to privately owned data, the Czech Presidency of the EU Council has suggested a new partial compromise. The proposal states that, in extreme circumstances, public sector organisations may use private corporate data. The idea of an extraordinary necessity has been honed to refer to situations with unpredictable, time- and scope-bound outcomes. Public emergencies, such as significant cybersecurity breaches, encompass both natural and human-caused disasters in Prague. This extraordinary circumstance must be specified by national or EU procedural law.
The Act governs the use of data by public organisations and also applies when data is outsourced to a third party.
Alternately, public authorities may make a request for data, including metadata, if their prompt access is required to exercise their legal authority or carry out a specified activity in the public interest. The Czech Presidency has indicated that these activities may be related to municipal transportation, city planning, or infrastructure services. In any case, the requests must adhere to principles of proportionality, transparency, and purpose limitation. The purpose limitation concept also holds when data is outsourced to a third party, who will then be held to the same standards as a public sector organisation in terms of maintaining the confidentiality and integrity of the required data, as well as safeguarding trade secrets. The new text specifies that EU or national law responsibilities relating to specific purposes, such as official statistics, should not be impacted by the Data Act’s obligations.
New requirements have been added to the list of things public bodies must do, and public sector organisations should utilise non-personal data whenever possible.
Public bodies will now additionally need to define which metadata should be shared, state the legal basis for the request, and clarify the request’s purpose for third parties. The list of things public entities must accomplish has been expanded to include these new requirements. There are now safeguards in place for requests containing personal data, and the public body is now required to justify the request and describe the security measures in place. Unless it poses a risk to public safety, the request for data should be made public. Public sector organisations should utilise non-personal data whenever possible. Unless responding to the request involves personal data, the organisation that owns the data should anonymise it and can request reimbursement for this. If the anonymisation is not practical, the government agency must demonstrate that the information requested is necessary. Aggregation and pseudonymisation should then be used in place of anonymisation.
