The European Data Protection Board (EDPB) warned Thursday that a legislative proposal from November 2020 risks damaging the individual fundamental rights of European Union citizens.
The proposals comprise four existing statutes, with a fifth proposal for a “Data Act” expected to be presented soon. They collectively aim to facilitate further use and sharing of personal data between public and private parties, developing the region’s “data economy.” They also seek to support the use of Big Data and AI to regulate online platforms.
The EDPB states that these efforts might impact the protection of several fundamental rights, namely Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (eliminating inconsistencies and inequalities, respectively) as well as Article 16 of the Treaty on the Functioning of the European Union (freedom to conduct a business).
The first critique was that the proposals showcased a lack of protection of fundamental rights and freedoms. This issue can be seen across all the recommendations. However, it was highlighted by the proposal to allow the use of AI systems in categorizing individuals from biometrics according to ethnicity, gender, political affiliations, and sexual orientation. Further, it also encouraged a complete ban on any use of AI to infer human emotion. It suggested that all online targeted advertising should be regulated more strictly, especially as far as children are concerned, and when advertisements result from pervasive tracking.
The second identified issue was concerns of fragmented supervision. The data protection supervisory authorities were determined to be competent authorities as regulators. The EDPB proposed that each proposal should mention data protection supervisory authorities among the relevant competent authorities. Additionally, each proposal will be expected to “provide for an explicit legal basis for the exchange of information necessary for effective co-operation and identify the circumstances in which co-operation should take place.”
Finally, the risk of inconsistencies was expressed. According to the EDPB, the operative text of proposals “may create ambiguity as to the applicability of the data protection framework.” They also should not affect or undermine pre-existing data protection rules.
To achieve the set goal without undermining the relevant rights, the EDPB recommends coherent and clear definitions, with the aim that data protection rules always prevail when personal data is processed.