Tag Archive for: GDPR

GDPR blocks growth opportunities 

/in , ,

The EU’s General Data Protection Regulation (GDPR) promised harmonised rules and a stronger internal market. In reality, interpretations vary between member states, and case law is inconsistent. Companies live in uncertainty about which rules to follow in which country and this undermines the competitiveness of the entire economic area. 

The obligations of the GDPR are in many respects overly detailed and rigid. Contractual requirements, the 72-hour breach notification, and unclear rules on anonymisation and pseudonymisation create extra bureaucracy without real added value for data protection. Supervisory authorities treat guidelines as binding regulations, leaving risk-based thinking aside. 

Excessively strict interpretations also prevent the use of data in healthcare, research, and new digital services. When pseudonymisation cannot be applied flexibly, innovation stalls and international cooperation dries up. For example, telecom operators have enormous opportunities to develop business by using pseudonymised data generated by their networks: mobility patterns could be used in urban planning, service capacity, or tourism development without compromising individual privacy. Current restrictive interpretations, however, make this nearly impossible. 

The situation is made worse by conflicts between the GDPR and ePrivacy rules, as well as by authorities’ low notification threshold, which burdens oversight and wastes resources. In addition, the sanction mechanism is unbalanced: companies may face heavy penalties, while the public sector rarely faces administrative fines, even though authorities handle massive amounts of personal data. This is neither acceptable for citizens’ legal protection nor for equal treatment. 

A correction to the GDPR is essential. We need more consistent interpretations, risk-based regulation, sanctions that also apply to the public sector, and proportionality – so that data protection genuinely works for citizens rather than stalling European companies’ growth and the development of new business models. 

Elina Ussa

President of EuroISPA

and FiCom Managing Director

EuroISPA signs joint industry statement on data processing for AI model training

/in , ,

In a joint statement addressed to the European Data Protection Board (EDPB), EuroISPA and 14 leading European and national trade associations urge the EDPB to adopt a balanced and pragmatic interpretation of GDPR. A thoughtful look into the interplay of the GDPR and the AI Act will be key to make AI “made in Europe” a reality.

Full statement

EuroISPA publishes Position Paper on Data Retention

/in , ,

Data retention frameworks refer to the regulation of what data should be stored or archived, where that should happen, and for exactly how long. The obligation of data storage stems from the possibility of law enforcement authorities to request such data to Electronics Communications Services Providers at any time.

In light of the current discussions within the High-Level Group on access to data for effective law enforcement, EuroISPA has published this Position Paper on Data Retention. This paper is a testament to EuroISPA’s collective dedication to identifying the practical, operational and economic consequences and challenges of data retention at both the national and cross-border level.

Allowing law enforcement authorities to prevent and prosecute serious crimes needs while safeguarding the fundamental rights of users and electronic communications services providers is not an easy task, as shown by several rulings of the Court of Justice of the EU. EuroISPA has put together a list of imperative requirements to provide guidance on how to achieve the right balance between the interests and obligations of all parties involved.

EuroISPA, a pan-European association which represents over 3,300 Internet Services Providers (ISPs), works to advocate for the needs both of the wider industry and of users. This position paper is one example of how the association’s members work together to draft recommendations for EU policy makers that can be implemented by the industry in order to tackle the issue at hand.

Read the paper

NEWS: ePrivacy Regulation – EuroISPA welcomes progress but full alignment with GDPR remains crucial

/in , ,

Brussels, 10 February 2021 – EuroISPA welcomes the conclusion of the discussions in Council on the ePrivacy Regulation. After over four years of complex deliberations, we are now looking forward to the start of the negotiations with the European Parliament and the European Commission. The current text is the first step towards greater legal clarity and interoperability between the ePrivacy Regulation and the GDPR regimes. This clarity is needed for businesses in Europe to plan, operate, and innovate as well as to allow for the commercial support of the free and open internet. We welcome the introduction of further compatible processing and the performance of a contract as legal grounds for metadata processing. We believe that these must be preserved during the future negotiations if we want to have a coherent and harmonised EU data framework which ensures legal certainty for European businesses. However, we consider that further work on the text is still necessary.

We regret that the Council agreed text reinstated a previous version of the “compliance with a legal obligation”, so restricting even further that legal ground and diverging from the GDPR.

In view of the negotiations, we would like to reiterate the key areas which are worth clarifying:

  • Material scope: We believe that to ensure consistency in the EU acquis, it would be necessary to further define the interplay with the GDPR and clarify when the GDPR stops applying and the ePrivacy starts.
  • B2B processing: In the business-to-business (B2B) context, providers of electronic communications services generally will not have a relationship with the end-users of their services. Clarification is therefore needed that, in such circumstances, consent can be provided by the enterprise customer.
  • Enforcement: There is a need to ensure that supervisory authorities, and enforcement and cooperation mechanisms are consistent with the GDPR standards. We need to avoid a situation where providers could be subject to oversight by multiple supervisory authorities for the same activities across the EU.
  • M2M processing: The application to machine-to-machine (M2M) communications must be limited in scope to high risk instances, instead of applying to any kind of such communications, so as to limit the risk of making a wide range of critical enterprise processes highly burdensome.
  • Privacy-preserving technologies: The industry strives to keep developing privacy-protective data processing alternatives (i.e. on-device machine learning, new aggregation techniques, and other privacy-enhancing advances). The ePrivacy Regulation should not restrict innovative and privacy-protective new approaches that are designed to benefit individuals and strengthen their privacy online.

We look forward to the beginning of the negotiations and we remain willing technical partners to the institutions in defending the much-needed flexibility on the legal basis and the interoperability with the GDPR.

Contact details

EuroISPA

38, Rue de la Loi
1000 Brussels

+32 2 789 6618

[email protected]

General contact information | Privacy policy