Meritxell Borràs demands in the Congress of Deputies that the new Bill on digital services recognize the powers of the APDCAT and the rest of the regional authorities

The director of the Catalan Data Protection Authority (APDCAT), Meritxell Borràs i Solé, appeared this Thursday before the Economy, Trade and Digital Transformation Committee of the Congress of Deputies, in relation to the Bill that modifies various legal provisions to improve democratic governance in digital services and media regulation.

The director of the APDCAT pointed out that the Bill modifies two regulations that incorporate a reference to the Spanish Data Protection Agency (AEPD), without making reference to the other supervisory authorities in the field of data protection (the Basque, Andalusian and Catalan), which also have supervisory powers in both regulatory areas. Not incorporating this reference would constitute a violation of the competence framework.

For the director, if the APDCAT controls the public sector of Catalonia when it processes personal data, in application of the General Data Protection Regulation, this competence must also be recognised in other regulations when the entities subject to its control are subject to obligations arising from data protection regulations. For this reason, she insisted that the reform that is now being promoted should be adapted to the existence of other data protection authorities, in addition to the Spanish Agency, recognising the regional powers of data protection.

Along these lines, she recalled that the Draft Bill for the good use and governance of artificial intelligence, of the State Government, does take into account the four data protection authorities, and not only attributes to the AEPD the competence to supervise some artificial intelligence systems, but also to the Basque, Andalusian and Catalan authorities.

Growing value of data

During her speech, Borràs pointed out that technology allows for increasingly in-depth, complex and massive data processing. She warned that many companies have been trading in data for some time, due to its growing economic value, and that they are making profits from it. In this sense, she warned of the risks of profiling people, which can mean getting to know not only their economic profile, but also their social or ideological profile.

Borràs recalled that Europe has promoted rules that set limits and obligations for companies and provide citizens with new rights or more guarantees to exercise them. For example, regulations such as data, data governance, artificial intelligence, digital markets or digital services. The director stressed that it is necessary to see not only the complementarity of these rules, but also their interrelationship, also ensuring the central role of data protection authorities in guaranteeing this fundamental right in all sectors, and also in supervision.