BDI statement on the EU Data Act Proposal
emergency" and the in Art. 15 (a and b) DA-E and in particular a "specific task in the public interest expressly provided for by law" in Art. 15 (c) DA-E are very broad and do not provide companies with the necessary legal certainty in which constellations a data provision obligation is envisaged. The same applies to the protection of business secrets pursuant to Art. 17 (2 c) DA-E, especially against the background of a possible transfer of data to public research organisations pursuant to Art. 21 DA-E. There is an urgent need for clarification here in order to ensure a uniform understanding throughout the Union for the large number of public bodies entitled to such protection. In addition, it must be ensured that data provided by companies must be deleted again after the end of a "public emergency". With a view to Art. 15 (c) DA-E, it also appears unclear which concrete requirements are placed on the public bodies in advance of a statutory demand on the companies. Particularly in the case of company-specific data, the criteria under which a futile data provision request is to be made on "the market at market prices" are not sufficiently calculable. In addition to the scope of application, it is imperative for companies to specify the data protection and (non-)technical requirements for security precautions for information security in the course of data provision with the public body. In order to be able to guarantee the protection of informational self-determination and data security on the part of the company, appropriate data provision periods must also be ensured in accordance with Art. 17 (1 e) DA-E. Finally, data protection-adequate pseudonymisation and anonymisation of personal data already leads to a considerable amount of time and effort, which must not only be taken into account in the time limits, but must also be recompensed through appropriate compensation. Finally, B2G data sharing obligations must be designed to be both legally secure and practicable. This applies first of all with regard to personal data in the form of legally secure and, at the same time, practicable guidance on the sufficient anonymisation and pseudonymisation of personal data. Analogous to the discussions in the ongoing procedure on the Data Governance Act, it is completely unclear in application practice which technical measures are required for sufficient anonymisation of personal data. Furthermore, corresponding obligations should only be addressed to data holders, so that data processors are not forced to pass on customer data to public authorities, contrary to their contractual obligations. Chapter VI: Switching between data processing services In addition to a high degree of flexibility and scalability, cloud services offer their customers a high degree of user-friendliness. However, the ease of use can go hand in hand with the fact that customers' applications are deeply integrated into the provider-specific (proprietary) ecosystem of the respective
www.bdi.eu
Page 17 from 21
