Data protection in light of the EU common data spaces?

A critique of the European Commission Proposal for a Regulation on a Framework for Financial Data Access & of the European Data Protection Supervisor’s opinion on the proposal (Opinion 38/2023), with some broader observations

The European Data Protection Supervisor Opinion is a well-meant but ultimately futile and doomed attempt to put parts of a thing – the European Commission’s proposed framework for financial data sharing – into a box – the General Data Protection Regulation (GDPR) – from which it is designed to escape.

In fact, the construct of not-really-consent “permissions” triggering a “legal obligation” to share data, and the attempt to base that data sharing on non-GDPR-based, not Supervisory Authority/European Data Protection Board-approved rules, is nothing more, or less, than a way to get around the GDPR requirements, in particular those relating to consent. It is, in effect, a manifest attempt to undermine the basic principle of informational self-determination.

If the European common data spaces will be created on the basis of this same approach, the GDPR will be completely eroded, and informational self-determination effectively destroyed in whole swathes of socially crucial contexts: health, finance, borders, etc., etc.

The proposal should be rejected as fundamentally undermining EU data protection law in a crucial and sensitive area of consumer activity.