The legislation agreed in mid-December by Parliament and Council negotiators marks a crucial step forward in getting away with a calamitous patchwork of national laws on data protection. However, it contains a number of inconsistencies that could negatively affect Europe’s digital ambitions.
It took nearly 4 years of bitter negotiations for the EU to strike an agreement on a sweeping overhaul of its data protection rules. But it was worth it. The legislation agreed in mid-December by Parliament and Council negotiators marks a crucial step forward in getting away with Europe’s calamitous patchwork of national laws on data protection.
The previous EU rules dated back to 1995 and their varying interpretations by Member States have contributed to create significant regulatory uncertainty while hindering innovation in critical sectors of the economy.
However, the new General Data Protection Regulation (GDPR) is far from perfect. It still presents multiple critical aspects. For instance, it fails to create a level playing field for telecom operators.
Following its introduction, the electronic communications sector will be forced to abide by a twofold regulation, complying with both the new data protection legislation and the ePrivacy Directive.
If Europe is serious about supporting growth and innovation in its digital markets, this asymmetry should be addressed as soon as possible. Otherwise it will place yet another burden on a sector which has been hit hard in recent years by a slow economic recovery while being under pressure to invest more in digital networks in order to meet the EU broadband targets.
As many know, the on-going Internet evolution has been providing breeding grounds for several new telecom-like services (including OTT services) to grow.
The point is that, unlike traditional telecom providers, such services are not necessarily bound by the terms of the ePrivacy Directive, although they are functionally equivalent to one another.
As a consequence, different rules applying to equivalent services inevitably create unfair competition between telecom operators as well as legal uncertainty and general confusion among consumers.
In order for consumers to benefit from a consistent regulation, regardless of the service provider in question, a prompt revision of the ePrivacy Directive is thus required.
But the negative implications of the new regulation on data protection could be larger, stretching far beyond the telecoms sector.
DigitalEurope, the main association representing the digital technology industry in Europe, believes that the legislation fails to strike the proper balance between protecting citizens’ fundamental rights to privacy and the ability for businesses in Europe to become more competitive.
The text agreed upon between the European Commission, European Parliament and the Council of Ministers contains a number of stringent obligations that could be very costly for IT businesses, undermining their ability to invest, innovate and create jobs.
European businesses, traditionally less equipped to meet these obligations, could be hit hard. And, of course, this is in stark contrast with Europe’s ambitions to create a generation of home-grown global leaders in the tech sector.
Another matter of concern is the so-called is the compromise reached on the so-called “one-stop-shop”, according to which tech companies operating in different countries will deal with only one data-protection authority, namely where their European headquarter is based.
As Member states managed to weaken this principle, as recently reported by Reuters, some obervers believe that this will create more legal confusion and litiges (for instance, to determine what is the concerned national authority). Again: the bill for the companies could be very expensive.
Following the political agreement reached in trilogue, the final text of the data protection regulation will be formally adopted by the European Parliament and Council in a few weeks. Maybe there is still room to fix its inconsistencies.
Photo credit: Martin Fisch
Looking at Europe’s digital progress, 2015 started under great promise but didn’t end quite so well. So how can Europe do better? Here are 5 tests I’ll be applying in a year’s time.
Must do (quite a lot) better in 2016. Yes, it’s a cliché but that might well be the end-of-year report on Europe’s digital progress in 2015.
It started with great promise; President Juncker making snappy videos about his digital street cred, a Vice-President for the Digital Single Market and a Commissioner for Digital Economy and Society, and DSM strategy with welcome consultations.
But the year didn’t end quite so well, did it?
A compromise on data protection that didn’t deliver on its original promise of reduced costs for business, with a single consistent approach across Europe and a one-stop-shop; real uncertainty for many businesses thanks to the ruling on Safe Harbour, and endless examples of incumbent interests seeing off the disruptors who had the temerity to use digital to offer better, cheaper service to European city dwellers.
So how can Europe do better this year? Here are 5 tests I’ll be applying in a year’s time.
First, and it’s a big one, I’ll be asking whether we give as much weight to gaining the benefits of the new, and increasingly global, data economy and society – from health benefits to wealth benefits – as we do to the important task of keeping our data safe and secure. Have we grasped the opportunities of global data flows and resisted unproductive forced localization?
Second, make it more attractive, not less, to invest in Europe’s digital infrastructure. If the EU is to lead the way to 5G, crucial bands will have to be made available in a coordinated and timely way, putting an end to today’s national fragmentation.
My third test: make a real improvement in the quality and quantity of digital skills available both to tech suppliers and their customers in Europe’s industries and public services alike. At the end of the year I want to see that Europe’s citizens can easily and cheaply acquire the digital skills they need to be active in our digital Europe.
Next really do unlock the potential of e-commerce. Don’t just say you’ll do so while building new barriers and making consumer rules in the online world different from, and more complicated than the off-line world – recognise that for most Europeans this distinction is fast disappearing.
Fifth and finally, I want to see that many more of Europe’s business leaders and politicians have grasped and actively promoted the power of digital to modernise our industries and improve public services to drive the single market. Will we have shifted our thinking to exploit the power of modern platforms rather than worrying about them?
To borrow from Machiavelli, Europe has to tackle the powerful vested interests that profit from the status quo, while at the same time embracing the disruptors who dare to challenge them.
I look forward to seeing you again next year and I have every expectation of a better report.
photo credit: Tom Gill
We welcome the new General Data Protection Regulation (GDPR) that was agreed in mid-December, as it marks a crucial step forward. However, it fails to create a level playing field for telecom operators. And still presents multiple critical aspects.
Following the introduction of the regulation, the electronic communications sector will be forced to abide by a twofold regulation, complying with both the new data protection legislation and the ePrivacy Directive. If Europe wants to support the growth and innovation spreading out within its convergent digital markets, this asymmetry needs to be addressed shortly.
The ongoing, rapid Internet evolution has been providing breeding grounds for several new telecom-alike services (including OTT services) to grow. The point is that, unlike traditional telecom providers, such services are not necessarily bound by the terms of ePrivacy Directive, although they are functionally equivalent to one another.
As a consequence, different rules applying to equivalent services inevitably create unfair competition between telecom operators as well as legal uncertainty and general confusion among consumers. In order for them to benefit from a consistent regulation, regardless of the service provider in question, a prompt revision of the ePrivacy Directive is required.
The European Union needs to have common privacy standards in place as soon as possible. For this to happen, member states need to show far more engagement, says German MEP Jan Albrecht
More than three years on from the publication of the first draft proposal, the Data Protection Regulation is still under negotiation. However there are doubts over whether it can be agreed before the end of 2015. What is your view?
I think that for the legislation to be finalized by the end of this year member states need to show far more engagement. Negotiations in the Council are advancing at a slow pace due to simple issues and disagreements popping up over and over again, thus postponing the whole process.
So ultimately it’s a question of political will. If the Council does want to achieve an agreement, it can do it very quickly. The European Parliament has voted its position in October 2013: since then we are waiting member states to reach a deal in order to start the trilogue.
Speaking of the trilogue, how do you see the future negotiations between the Council and the European Parliament?
First of all, it will be key that the Council delivers on high standards for the protection of privacy. However, looking at the ongoing talks among member states some of the provisions of the proposal already run the risk of being diluted compared to the protection levels set in the 1995 directive.
This is a red line for the European Parliament: we won’t accept lower standards than the 1995 directive. If member states want to get on a common ground with the European Parliament they need to agree on stronger individual rights and sanctions.
Given that the regulation will have a two-year transitional period before it applies, don’t you fear that the technological evolutions will render the text obsolete by the time it enters into force?
I do not think that the text voted by the European Parliament will be outdated soon because it already encompasses all the actual developments and it is as much technology-neutral as possible.
But it’s true that if the Council doesn’t find an agreement anytime soon and negotiations stretch into 2016, adding the transitional period, it means that there are at least three years left before Europe has a single data protection standard. This equates to three more years of losses and struggle for the European IT companies in comparison with US Internet giants. I do not think that we can afford this to happen. We really have to hurry up!
However critics of the regulation lament that the regulation will result into more burden placed on companies.
On the contrary, the European Parliament has included in the text provisions that protect all the companies from too much burden – for example we excluded smaller companies from some duties of documentation and information.
Moreover, the new regulation would reduce bureaucracy by replacing 28 different national regimes with just one. The benefits for SMEs will clearly outstrip the potential burden which I do not think will be higher than today.
Is it possible to restore trust in transatlantic data flows and on which basis?
First, the European Union and its single market need to have common privacy standards in place in order to ensure legal certainty for consumers, citizens and enterprises in Europe.
Only then, we can start negotiating with the US on common transatlantic standards, i.e. the application of certain basic data protection rules. In short, that will be only possible if we pass the data protection regulation as quickly as possible.
How can we negotiate with the US on common standards and create a transatlantic market if Europe has not a single standard itself? As long as we do not achieve this objective it won’t be possible to negotiate on privacy standards in the framework of TTIP.
In addition, the US has also to do its own homework. New legislation on data protection recently announced by President Obama is a starting point and the first requirement for any further negotiation. Without such legislation in place it is almost impossible for the European Union to agree on common privacy standards.
What’s wrong with the EU’s plans for the passenger name record (PNR) system? Why the European Parliament is opposing the proposal?
In the last years nearly every terrorist attack we have seen involved attackers who were already known by the authorities as potential or suspicious terrorists. However, we have focused on collecting personal data of citizens – for instance through the data retention directive – who are completely not suspicious or risky.
Collecting just more hay if you are looking for a needle in a haystack is the wrong approach to improve security. The right way would be to spend the money that would go to the PNR system (hundreds of millions of euro) into better equipment for police and law enforcement authorities in Europe and into improving coordination and exchange of information on suspicious persons. This is what we ask.
A no less important issue is that last year the European Court of Justice ruled that retention of data without any link to suspicious or risk is not legal and proportionate. Therefore, we should not vote laws that we know are illegal.
photo credits: KylaBorg
The draft Data Protection Regulation (DPR), as it has been amended by the European Parliament, would seriously impair Europe’s competitiveness in medical research and innovation, which in turn will have a negative impact on health and wellness in the population.
The right to privacy and the consequent need for data protection is an aspiration of the great majority of people living in Europe. The draft Data Protection Regulation (DPR) is designed to provide the legislative framework for protecting peoples’ right to privacy and generally it does a very good job.
However, there is another right to which a great majority of citizens aspire.
[Tweet “The right to a healthy life, which implies the right of access to the best possible medical care”]
Excellent medical care is impossible without excellent medical research, which provides the new diagnostic instruments, drugs and other measures for keeping people healthy.
Balancing these two rights is critical if we are to protect individuals’ data, while avoiding harmful unintended consequences for research. As a practicing doctor and active medical researcher I believe there is a danger of that happening if the Parliament’s amendments to the DPR are adopted.
Medical research has increased the average European life span from around 40 to over 80 years in the 20th century. It has eliminated polio with vaccination; turned AIDS into a non-fatal disease; protected young women from cervical cancer; and cured stomach ulcers with antibiotics, eliminating the need for surgery.
The list is enormous. Medicine has also provided much employment in Europe in the last century.
Effective medical research requires a large number of different types of data, from varied sources, ranging from laboratories to hospitals to census information or medical records. Epidemiological and association studies often require very large data sets, based on information from thousands of people, to get the answers we need for disease prevention and to maintain “wellness”.
There is a tried and tested system for protecting the privacy of individuals. It is based primarily on local ethics committees that include lay representation and which work to an international standard expressed in the Helsinki Declaration.
In addition, peer review guarantees scientific validity and medical importance and eliminates unnecessary experimentation, or experimentation that cannot achieve a result to the question posed. This culture includes developing new methods to protect data, which are refined as science and technology progress.
Europeans view their health as being as important as their right to privacy. In a Eurobarometer survey from 2014, 40 per cent of respondents said that “treatments that work” are one of their criteria for high quality healthcare.
[Tweet “Health research is essential for discovering and testing better treatments”]
In Europe’s socialised health systems, the vast majority of people contribute to funding health care through taxes. Data collected during the care of an individual clearly belong to that individual.
But perhaps we should consider whether every citizen who pays for the health system also has a right for this rich information to be shared – safely and securely – to improve the health and wellbeing for all of us.
At present, the legal framework and the culture of safety in medical research respects the balance between the right to privacy and the right to health. That important balance will be maintained if the final version of the Regulation retains the substance of the medical research exceptions proposed in the initial Commission draft.
I believe that the adoption of the Parliament’s amendments to the Regulation would seriously impair medical research by preventing some studies and creating ambiguous rules and unwieldy, bureaucratic processes for others.
Europe’s competitiveness in medical research and innovation will be blunted, impacting negatively on opportunities for job and wealth creation, which in turn will have a negative impact on health and wellness in the population. This is a vicious circle that must be avoided.
This post was originally published on the website of the European Data in Health Research Alliance (www.datasaveslives.eu / @datamattersEU)