The Member States will discuss, on Monday 5 September at a meeting of the EU Council Working Party on Telecommunications, the Czech Presidency’s compromise proposal for the fifth chapter of the Data Act (see EUROPE 12995/16).
Several changes have been made in this part of the text, which focuses on the creation of a harmonised framework for the use by public sector bodies, EU institutions and agencies, in case of exceptional need, of data held by companies.
In concrete terms, the new version of the compromise text now includes metadata in the list of data that could be made available in case of exceptional need.
In addition, the text also specifies that the scope and duration of the use of such data can only be limited, as such use is exceptional and can only take place in certain circumstances.
On this point, the list of circumstances has been completed. Thus, in addition to situations of response to a public emergency, to warn of a public danger or to assist in recovery from it, the text provides that data may also be requested from companies when their lack of it prevents a public sector body from performing a specific task, such as official statistics.
The text also refers to the conditions under which data requests must be made. The compromise document specifies that, where personal data is concerned, the request must be accompanied by details of the technical and organisational measures that will be taken to protect it.
Finally, the document also returns to the issues of compliance with data requests and the levels of compensation foreseen.
On this first aspect, the text retains the fact that data holders must make the data available “without undue delay” to the public entities that have requested them. Nevertheless, the holder could refuse or request a modification of the request in cases where he or she does not have control over the requested data.
Moreover, holders could also refuse a request in cases where they have already provided the requested data in response to a previously submitted request for the same purpose without being notified of their deletion.
Such refusals or requests for modification should be made within five working days of a request in cases of public emergency and within 15 days for other requests.
On the issue of compensation, the text now clarifies that, in cases where a public sector body or an EU institution, agency or body wishes to challenge the level of compensation requested by the data holder, this should be done with the competent authority of the Member State where the data holder is established.
See the compromise document: https://aeur.eu/f/2us (Original version in French by Thomas Mangin)