Biometric data must be processed with ‘European values’: EDPS opinion on Data Act
Clarity is needed to ensure special types of highly sensitive data such as biometrics and health information are fully protected in the European Union’s proposed upcoming Data Act, according to the Joint Opinion report published by the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB).
The EU is drafting the Data Act, which will determine how data is processed, stored and shared as well as who has access to it. The Act intends to take into account the rights of ordinary people to control how their data is shared as well as protect businesses as shared data can reveal the workings of a company’s products. The Act also sets out how the whole system of data would be governed and policed.
The proposals are being developed as something of an explosion of data is anticipated. Autonomous vehicles, virtual assistants, consumer health monitoring and medical-grade monitoring, the Internet of Things, increasing use of biometric identification and authentication, and surveillance will all generate huge quantities of data. The act tries to determine patterns for who owns this data – the homeowner or smart doorbell manufacturer – and protect all involved.
Several “overarching concerns” with the proposed Data Act are highlighted in the Joint Opinion which urges the co-legislature to take into account and take “decisive action.”
As the text stands, according to the EDPS and EDPB, proposals apply to a broad range of products and services: “Certain products and services may even process special categories of personal data, such as data concerning health or biometric data. As the Proposal does not explicitly exclude certain types of data of data from its scope, data revealing highly sensitive information about individuals could become the object of data sharing and use according to the rules established in the Proposal.”
The Supervisor and Board welcome the fact that the proposals do not affect the current data protection framework already in place, but believe additional safeguards are necessary to prevent the lowering of the protection of personal data and the right to privacy in practice.
They break down their concerns into three areas: extra safeguards as the rights to share, access and use data would extend beyond the data subject to other entities such as businesses – restrictions are needed of the use of data by anyone other than the data subject; the fact the proposal allows for data to be made available to public sector bodies in cases of “exceptional need,” the lack of definition of which makes the authors “deeply concerned.” Their third area of concern is that the “oversight mechanism established by the Proposal may lead to fragmented and incoherent supervision.”
The authors also call for products to be designed in a way that offers the possibility to use devices anonymously or “in the least privacy-intrusive way possible.” They also want limitations on the use of data in direct marketing or advertising, employee monitoring, modifying insurance premiums and credit scoring.
“Data must be processed according to European values if we aim to shape a safer digital future,” comments Wojciech Wiewiórowski, EDPS, “As we move to create new opportunities for data use, we must ensure that the existing data protection framework remains fully intact. Access to data by public authorities should always be properly defined and limited to what is strictly necessary and proportionate, which is not the case under the draft Data Act.”
The Supervisor and Board also call on the co-legislators of the Data Act to designate national data protection authorities as coordinating competent authorities, and welcome the text’s designation of data protection supervisory authorities for monitoring the application of the Data Act in the protection of personal data.
“It is crucial to solidly embed the GDPR in the overall regulatory architecture that is being developed for the digital market,” comments Andrea Jelinek, EDPB Chair. “Not just for this proposal, but also concerning other legislative proposals, such as the Data Governance Act or the Digital Markets Act.”
authentication | biometric data | biometric identification | biometrics | consumer electronics | Data Act | data protection | Europe | European Data Protection Board (EDPB) | IoT | legislation | privacy | regulation | surveillance | wearables