European Parliament Adopts Report Recommending Directive on ESG Due Diligence Obligations
On March 10, the European Parliament adopted a legislative initiative report detailing recommendations for a new directive on corporate due diligence and corporate accountability for holding companies accountable for harm caused to human rights, the environment and good governance (the Report).
The key proposals recommended by the European Parliament in the Report include:
The European Commission previously consulted on a sustainable governance initiative in October 2020 and is expected to adopt a legislative proposal in the second quarter of 2021.
EDPS & EDPB release joint opinion on the Data Governance Act
On 10 March 2021, the EDPB and the EDPS on the Data Governance Act (DGA), the European Commission’s Proposal for a Regulation on European data governance.
The EDPB and EDPS, however, warn that the legislative proposal poses the following risks:
The proposal could create a parallel set of rules that are not consistent with the GDPR, nor with Regulation 2018/1807/EU on the framework for the free flow of non-personal data. Furthermore, since EU Directive 2019/1024 on open data and reuse of public sector information (i.e. the Open Data Directive) already provides rules on the re-use of public sector information, an overlap with its scope would add to the confusion.
The DGA introduces a set of new definitions, such as ‘data holder’, ‘data sharing service provider’ or ‘data user’. These new terms would apply to the processing of personal data as well. Based on the scope of the definitions, however, they do not seem compatible with those in the GDPR.
As a result, the EDPB and EDPS advise that these definitions not be left open for interpretation without further elaboration. Most importantly, the DGA does not establish a legal basis for the re-use of personal data other than the principles provided for in the GDPR. It is yet to be seen how the Commission will react to the criticisms.
For more information on the DGA, see the press release and the joint opinion.
EDPB Releases Guidelines on Virtual Voice Assistants
On March 12, 2021, the European Data Protection Board (“EDPB”) published its Guidelines 01/2021 on Virtual Voice Assistants for consultation (the “Guidelines”). Virtual voice assistants (“VVAs”) understand and execute voice commands or coordinate with other IT systems.
These tools are available on most smartphones and other devices and collect significant amounts of personal data, such as through user commands. In addition, VVAs require a terminal device equipped with a microphone and transfer data to remote service. These activities raise compliance issues under both the General Data Protection Regulation (“GDPR”) and the e-Privacy Directive.
The four most common processes by which VVAs process personal data are (1) for the execution of user requests; (2) to improve the VVA machine learning model; (3) for the purposes of biometric identification; and (4) for profiling in order to deliver personalized content or advertising.
The Guidelines provide those offering VVA services with recommendations on how to navigate the key compliance challenges, such as by providing voice-based interfaces for providing notice of data processing to users during installation. The Guidelines provide that controllers should ensure that all data subjects (including those not registered as users of the VVA) are able to exercise their rights under data protection law using easy-to-follow voice commands.
Comments on the draft Guidelines should be submitted by the April 23, 2021.