Reforming Europe’s Privacy Framework – How to find the right balance.
September 2012. Representing leading business organisations in Europe the Industry Coalition for Data Protection (ICDP) share their key thoughts on the Commission’s proposal for a new EU Data Protection Regulation.
This statement builds on the coalition’s extensive work in May 2011.
Industry acknowledges the opportunity to modernise the European data protection framework. We believe it is in the interest of consumers and businesses alike that the revised EU data protection framework is robust, balanced, effective, relevant and future-proof. By fully harmonising EU data protection rules, the proposed Regulation would bring about increased legal certainty and would mark an improvement for businesses and consumers. In particular, the ICDP welcomes the decision to create a lead Data Protection Authority (DPA) under a “Main Establishment” regime. This approach will bring necessary clarity and reduce burdens for companies operating in multiple EU markets. However, the success of this approach will depend on complete applicable law and jurisdictional clarity and on clear requirements as to which DPA will be responsible.
However, the benefits of greater harmonisation are at risk of being outweighed by the costs of failing to strike the right balance between the protection of Europeans’ fundamental right to privacy and data protection, and the promotion of innovation, competitiveness and growth in the Digital Single Market. If enacted in the present draft form, the Regulation would delay the launch of innovative services in Europe, cause substantial loss in revenues for businesses of all sizes and in a wide range of industries, limit opportunities for new market entrants, strongly increase administrative costs and create legal uncertainty. Although helpful in some cases, certain exceptions for SMEs will not necessarily have the sheltering effect intended as both SMEs and larger companies operate in an ecosystem where compliance of all players is mandatory (to avoid joint liability). As such, the best way for the new rules to protect SMEs appropriately is to ensure a legal framework that is simple, proportionate and easy to comply with. In fact, many of these requirements will not enhance the protection of individuals’ data but simply lead to inefficient processes, overburden data protection authorities and create false expectations for users.
Additionally, the administrative sanctions should be reviewed in a way that ensures striking a fair balance between the protection of personal data of a data subject and the freedom to conduct a business enjoyed by an operator.
Specifically, the coalition feels substantial changes will be required on the following issues in order to strike an appropriate balance:
1. Personal Data definition: The new definitions of “data subject” and “personal data” encompass potentially an unlimited range of information, from anonymised online identifiers to an individual’s full name and address, their medical records and religious beliefs. In order to make this broad definition workable in practice, the Coalition proposes to introduce a context based approach into the definition of personal data and the intentionality of the controller to identify the data subject. Two recitals recognize that context is a relevant factor in this respect, and that data which does not identify a data subject is not personal data. These important limitations should be expressly reflected in the definition of “data subject”. We also believe that while pseudonymous data is covered by the definition of personal data, the Regulation should explicitly recognize its specificities and clarify how the general obligations can be adapted accordingly.
2. Explicit consent: By requiring a single form of “explicit consent” for all categories of information (from the anonymous to the truly sensitive), the proposal would not allow for any differentiation between asking for people’s consent to placing a cookie, collecting their full name and address, or recording their religious and political beliefs. This risks increasing “consent fatigue” and may lead people to automatically consent to anything, undermining the special care that should be applied in the context of truly sensitive data. We propose a context-based approach to consent, permitting innovators to use different mechanisms to obtain consent that reflect how and in what contexts consent is obtained and data will be used.
3. Administrative burdens: One of the objectives of the review of the Data Protection Framework in Europe is to reduce the administrative burdens This is a worthy ambition and one which harmonisation and deletion of the notification system go some way towards achieving, as noted in the Impact Assessment accompanying the Regulation. Care needs to be taken, however, to ensure that compliance with new provisions and concepts in the Regulation do not simply replace one set of burdens with another, which may be even weightier than the original provisions.
4. Technical mandates: Privacy by Design: Privacy by Design should be considered a process for ensuring that data protection is carefully considered in the design and implementation of products and services and not be based on prescriptive and specific technologies. Imposing design mandates on particular technologies would directly challenge the technology neutrality of the legal framework, would result in significant burdens and would hinder rather than promote user privacy and security, by creating single points of failure.
5. Data processor/data controller: The future legal framework should provide for a clear distinction of the responsibilities of a data controller and a data processor. Blurring these will only bring more uncertainty, will not serve the harmonization objectives of the reform and is not the way to deal with the complexities of Cloud. The relation with data subjects is established and maintained by controllers and this is why the existing legal framework foresees direct responsibilities for controllers whilst the responsibilities of processors are left to be determined bilaterally between controllers and processors, depending on the circumstances. This current approach is well understood and has proven to be workable.
6. Sanctions: The Regulation takes a “one-size-fits-all” approach and applies the same sanctions to all types of violations regardless of their severity/harm and/or impact. This should be addressed. The text should specify that only the lead DPA can impose a single sanction per infringement and that it can be applied only to legal entities at national level or at EU level, rather than focusing on a whole group of undertakings at global level. It should be left to the discretion of the lead DPA to decide whether a sanction should be applied (and at what level), therefore we call for a change from “shall” to “may”.
7. European Data Protection Board: European data protection policy must be formulated in a transparent manner that reflects the views of a broad range of stakeholders. Therefore the new European Data Protection Board (EDPB) should follow the European Commission’s own Better Regulation initiative and be made more transparent and accessible by establishing a consistency mechanism open to other stakeholders’ input (following the BEREC and ENISA example).
Members of the Industry Coalition for Data Protection
The Association for Competitive Technology (ACT AIBSL)
The Business Software Alliance
The European Digital Media Association (EDiMA)
EMOTA, the European Multi-channel and Online Trade Association
The European Publishers Council (EPC)
The Federation of European Direct and Interactive Marketing (FEDMA)
Interactive Software Federation of Europe (ISFE)
Japan Business Council in Europe (JBCE)
World Federation of Advertisers (WFA)