Loading

Blog details

Czech EU Presidency proposes new data law on government access

Czech EU Presidency proposes new data law on government access

The Czech EU Presidency of the EU Council has proposed a partial compromise on the Data Act, defining the scope and protections of Chapter V.

 

Prague aims to forward the discussion over the proposed Data Act by reaching an agreement on the ability of public agencies to demand access to privately owned data. According to this report from Euractiv, with regard to Chapter V of the Data Act, which is meant to specify the circumstances in which public entities may request access to privately owned data, the Czech Presidency of the EU Council has suggested a new partial compromise. The proposal states that, in extreme circumstances, public sector organisations may use private corporate data. The idea of an extraordinary necessity has been honed to refer to situations with unpredictable, time- and scope-bound outcomes. Public emergencies, such as significant cybersecurity breaches, encompass both natural and human-caused disasters in Prague. This extraordinary circumstance must be specified by national or EU procedural law.

 

The Act governs the use of data by public organisations and  also applies when data is outsourced to a third party.

 

Alternately, public authorities may make a request for data, including metadata, if their prompt access is required to exercise their legal authority or carry out a specified activity in the public interest. The Czech Presidency has indicated that these activities may be related to municipal transportation, city planning, or infrastructure services. In any case, the requests must adhere to principles of proportionality, transparency, and purpose limitation. The purpose limitation concept also holds when data is outsourced to a third party, who will then be held to the same standards as a public sector organisation in terms of maintaining the confidentiality and integrity of the required data, as well as safeguarding trade secrets. The new text specifies that EU or national law responsibilities relating to specific purposes, such as official statistics, should not be impacted by the Data Act’s obligations. 

 

New requirements have been added to the list of things public bodies must do, and public sector organisations should utilise non-personal data whenever possible.

 

Public bodies will now additionally need to define which metadata should be shared, state the legal basis for the request, and clarify the request’s purpose for third parties. The list of things public entities must accomplish has been expanded to include these new requirements. There are now safeguards in place for requests containing personal data, and the public body is now required to justify the request and describe the security measures in place. Unless it poses a risk to public safety, the request for data should be made public. Public sector organisations should utilise non-personal data whenever possible. Unless responding to the request involves personal data, the organisation that owns the data should anonymise it and can request reimbursement for this. If the anonymisation is not practical, the government agency must demonstrate that the information requested is necessary. Aggregation and pseudonymisation should then be used in place of anonymisation.

Does your company have all of the mandated safeguards in place to ensure the safety of the personal data you collect or process? Aphaia can help. Aphaia also provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.

Prev post
The US CLOUD Act: what is the impact on European companies?
August 25, 2022
Next post
Dealing with Data Protection Complaints as a Small Business
September 6, 2022

Leave a Comment