Multiple data laws overlap, with risk of dual proceedings for one infringement30th July 2022
There is a lot of data legislation on the horizon and due to come out of Europe. A lot. So it is no wonder that multiple data laws overlap, with risk of dual proceedings for one infringement.
We all know about the GDPR which pertains to personal data, but are you aware of all the other data legislation?
Do you know what they are and how they differ?
Below we give you a brief summary of each and then go on to give you an example of how you could be at risk of dual proceedings (potential double jeopardy) for one infringement.
So, stand by for multiple acronyms from the European Commission – which was a body established in 2019 to put EU policies in legislation in place by 2023 – with the aim of putting the EU at the forefront of today’s data-driven society.
According to the European Commission themselves,
“Data is an essential resource for economic growth, competitiveness, innovation, job creation and society progress in general.” European Commission.
Here is a list of the multiple data laws and you will see below their potential for overlap:
- The EU Data Act
- The Data Governance Act
- The Digital Services Act
- The Digital Markets Act
- The Artificial Intelligence Act
Whilst all of these different Acts aim to protect individuals, every Act places an additional burden on business. If you have ever dealt with a subject access request, you will understand how the right of access for an individual can place disproportionate demands on organisations. I, therefore, thought it may be helpful just to mention that when the EU was formed and reinforced in the Maastrcht Treaty, the principle of proportionality was introduced which states that the content and form of EU action must not exceed what is necessary to achieve the objectives of the European Treaties. Essentially, this means that EU laws and regulations must always be proportionate to the objectives sought and, by extension, any measures that seek to protect or limit individuals’ rights should not exceed what is necessary and appropriate.
The EU Data Act
The EU Data Act has at its core the purpose of making it easier for organisations to share data. Its remit is business to business and government to government data, NOT the data of individuals. It attempts to clarify who can benefit from the data and how.
Its main objective is to make ‘Europe a leader in the data economy’.
The EU Data Act must be utilised in parallel with the EU General Data Protection Regulation. It is wider than the EU GDPR in that it deals with all data, not just personal data which the EU GDPR is concerned with.
The Data Governance Act
This Act is in a very similar sphere to the EU Data Act but its focus is more on creating a legal framework than on the sharing of the data.
Digital Services Act
This is an update of the e-Commerce Directive, which is legislation that applies to organisations that provide an information society service and who are established within the European Economic Union (“EEA”). The focus of the Digital Services Act (and this is a theme) is on giving power back to the user and away from the huge platforms.
The Digital Markets Act
This Act is going to establish a set of ‘obligations and prohibitions’ for the huge online platforms which are seen as ‘gatekeepers’ and have, up until now, been seen to have had an unfair advantage due to their scale. Organisations not complying can be sanctioned – this could be a fine of 10% of its total worldwide turnover in the previous year.
“The EU is looking to bring fairer conditions to consumers and businesses for many digital services across the EU.” European Commission.
The Artificial Intelligence (AI) Act
Artificial Intelligence (AI) looks to bring many benefits, both from an economic and societal point of view.
There is however a concern that the technologies behind the AI may jeopardise fundamental rights such as the right to ‘non-discrimination . . personal data protection and privacy’ for example.
AI technology is developing fast and EU policymakers are keen that regulation keeps abreast of it. They need to balance the benefit it brings with the risks that ensue and a move from their previous softer approach to the more regulatory approach on the horizon reflects this.
“The European Commission is attempting to lay down a classification for AI systems with different requirements and obligations tailored on a ‘risk-based approach”. European Commission
Can I be fined twice by two different Acts for the same ‘crime’?
In theory, the short answer is yes.
Whilst the above Acts do not specifically focus on personal data, they do not EXCLUDE it.
Our fellow professionals at IAPP cite the following example:
“For example the Digital Services Act where a violation of the prohibition to send targeted advertising to minors or the prohibition to process special categories of data for advertising purposes could also be a violation of the GDPR. The proposal for the Artificial Intelligence Act contains several provisions that interact with the GDPR, such as provisions on profiling or the use of facial recognition. A violation of any of these provisions could also be a violation of the GDPR.” IAAP
The EU GDPR, the AI Act, and the DSA all have their own penalties and enforcement regimes. The chance of double (treble!) jeopardy is real.
One would hope that should these situations arise; the relevant authorities will work together to find a way through this new minefield of legislation to avoid any erroneous charges.
Our advice is of course to ensure that you remain compliant, and then this will not be an issue for you.
Just a word of caution, we have outlined the approach being taken by the European Union, this is usually the gold standard in most data protection and information governance matters, but countries are introducing their own laws in addition. In the UK we are developing our own separate but complementary legislation, as are different countries around the globe and States in the USA. Unless you are only processing the personal data of individuals in one country, you need to maintain a global perspective.
If you need some help navigating these upcoming data laws, please do take advantage of your complimentary half-hour consultation.