BDI statement on the EU Data Act Proposal
important cornerstones for the high level of data protection that Europe can boast in international comparisons. For this reason, many industrial companies have a great interest in working with anonymised data to a much greater extent. With regard to the legislative requirements, it must be stated that the GDPR does not contain any concrete requirements for the anonymisation of personal data and the Data Act will further exacerbate the already existing uncertainties in practice. Due to the resulting legal uncertainty and the lack of uniform standards, companies often refrain from participating in this project at present. In the IW Cologne study "Data Economy in Germany", 73 per cent of companies cited "a lack of standards for the anonymisation of personal data" as an obstacle to greater economic use of data.5 In order to be able to use the economic potential of anonymised data and, at the same time maintain the high European level of data protection, the BDI believes that legally secure and , at the same time practicable requirements, for example via the possibility of codes of conduct in accordance with Article 40 of the GDPR, are of central importance for data protection-compliant anonymisation of personal data. Corresponding guidelines should be developed in close consultation and cooperation with industry and build on best practices.6 1.2.
Definitions
A fundamental problem of the Commission's proposal is that key terms are either not defined at all, or are defined with little clarity. In this respect, the Data Act-E leaves considerable room for interpretation regarding the scope of application and the practical reach of many regulations, which leads to great uncertainty in practical application. From an industrial perspective, the definitions in Art. 2 DA-E harbour the risk of leading to more legal uncertainty and thus less value creation. Therefore, the central definitions should not only be mentioned in passing in the recitals, but should be specified directly in Art. 2 DA-E. Art. 2 (1) DA-E "Data": The definition of "data" is conceivably broad and very imprecise in view of the numerous specifications - especially with regard to the data provision obligation in Chapter II. After all, the data obtained in machines and then files generated are by no means homogeneous. Data originating from industrial machines may differ in terms of processing (raw vs. analysed or processed data), disclosure of trade secrets and knowhow, and the commercial and technical feasibility of making them available.
5
Datenwirtschaft in Deutschland - Wo stehen die Unternehmen in der Datennutzung und was sind ihre größten Hemmnisse?", IW study commissioned by the BDI, February 2021, available at: https://bdi.eu/media/publikationen/?publicationtype=Studien#/publikation/news/datenwirts chaft-in-deutschland/. 6 Cf. BDI guideline "Anonymisation of personal data", 2020, available at: https://english.bdi.eu/publication/news/anonymization -of-personal-data/.
www.bdi.eu
Page 7 from 21
