Brian Jackson - Fotolia
European business has raised concerns over the general approach agreed by the EU Council of Ministers to reforms of the region’s data protection laws.
The last phase of negotiation to agree a final text of the EU General Data Protection Regulation (GDPR) can now begin with versions previously being approved by the European Commission and the European Parliament.
But European digital businesses are unhappy with the text agreed by the Council of Ministers, saying the “blunt-instrument approach” in the current review threatens to hobble a sector that continues to show strong growth, without achieving meaningful privacy improvements for EU consumers.
Three points of the latest version of the GDPR represent serious cause for concern, according to digital industry association IAB Europe.
First, the future regulation looks like placing additional restrictions on companies’ ability to process data, making the new rules more restrictive than those now in force.
For example, IAB members are unhappy that several provisions of the text, taken together, may outlaw the processing of aggregated customer data that provides advertisers crucial information about the effectiveness of their ads.
“Ironically, this means a review intended to adapt EU rules to the Internet age may instead wind the clock back,” IAB Europe said in a statement.
Second, there are concerns that the new text exposes companies for the first time to the risk of punitive fines in case of even inadvertent breach of the rules – including for data processing that causes no meaningful privacy risk to users.
Third, IAB Europe believes that the Council of Ministers has “gutted” the one-stop shop principle that was the centre-piece of the original proposal.
According to the principle, instead of dealing with 28 different national privacy regulations, businesses were supposed to be allowed to work with a single data protection authority in the country where they are headquartered or have their main European base.
IAB Europe believes this one-stop shop approach would have increased efficiency and represented a major advance in Europe’s quest to create a functioning digital single market.
But the text approved by the Council of Ministers gives any “concerned” authority the power to object to a decision taken by another national regulator.
“The current approach is blunt and indiscriminate – a far cry from the supposed objective of making EU rules fit for purpose in the Internet age”, said Townsend Feehan, chief executive of IAB Europe.
“The future regulatory framework needs to enable digital advertising to fund the informational, educational, entertainment and E-commerce services that European users enjoy online at little or no cost.
“That is not what is on the table right now. It is no exaggeration to say that a draconian regulation could drive small and medium-sized companies responsible for much of the innovation we see in the industry today out of Europe,” she said.
Feehan said users do need transparency and choice about the processing of their data online, including for advertising.
“IAB Europe members are working hard to explain complex privacy policies. They are trying to help users learn as much, or as little, as they want to about how the technology and business models work. They are committed to effective selfregulation, which can adapt faster than the law to the changing landscape and consumers’ evolving needs,” she said.
Feehan expressed the hope that the final phase of negotiations between the Council of Ministers, European Commission the European Parliament – known as the trilogue – will take account of these concerns.
The GDPR must allow digital advertising to continue to be “a motor for Europe’s Digital Single Market and global competitiveness," she said.
According to IAB Europe, online advertising spend in Europe is growing fast, up 11.6% in 2014 to €30.7bn compared with €27.4bn in 2013. The industry association also notes that online advertising revenues have more than quadrupled since 2006 - while the overall European economy has stagnated.
“A data protection regime that is more constraining than the current law, dating from 1995, would undermine Europe’s ability to benefit from the digital revolution, and needlessly handicap dynamic EU-based SMEs that are trying to compete in the global marketplace,” IAB Europe said.
The trilogue is set to begin on 24 June and is expected to last six months. “The shared ambition is to reach a final agreement by the end of 2015,” the European Commission said in a statement.
But even though the finish line is in sight, the hardest part is yet to come, according to Eduardo Ustaran, partner at law firm Hogan Lovells International.
“Big milestone hit today but the hardest bit still ahead,” he tweeted, with a link to a blog post that likens the process to a marathon.
According to Ustaran, the trilogue will first aim to get a couple of easy wins under its belt, such as the territorial scope of the GDPR and international data transfers because there is a high level of agreement on these issues.
Read more about proposed European data protection laws
More than half of European companies do not know about the legislation planned to unify data protection laws.
Only half of UK IT decision-makers are aware of the coming EU Data Protection Regulation, compared with 87% in Germany.
The vast majority of cloud providers are not yet prepared to meet the requirements of the new EU General Data Protection Regulation.
However, he believes the EU Parliament’s introduction of a specific restriction on the disclosure of personal data following a request from a non-EU court or administrative authority could present difficulties because the political connotations of this measure are severe.
Next, the trilogue is likely to tackle the core aspects of the GDPR framework, including the data protection principles that cover the grounds for processing and the conditions for consent, the rights of individuals that cover the right to be forgotten and the provisions on profiling, and the obligations affecting controllers and processors.
Ustaran believes that this could be a very long process and that a critical aspect of the negotiations around these issues will be the degree of acceptance by the European Parliament of the “risk-based approach” proposed by the Council of Ministers.
Next, the trilogue is expected to discuss the one-stop shop principle. Discussions are likely to be intense, according to Ustaran because while the one-stop shop principle is one of the cornerstones of the framework devised by the Commission and is supported by the Parliament, it has proved to be a battleground in the Council.
However, Ustaran believes the fines that data protection authorities will be allowed to issue, is likely to be an area where there is a degree of consensus.
Once all the main issues have been dealt with, Ustaran expects the trilogue is likely to focus on some technical points such as the special regimes that will apply to the processing of personal data in the context of the employment relationship, scientific research and journalism.
According to Ustaran, the final discussions are likely to be uncontroversial. Although they will touch on the politically sensitive issue of the power of the Commission to adopt delegated and implementing acts, he believes the prospect of the finish line will spur all parties to consensus.