A CEPS forum on 22 January explored the progress of the EU Data Protection Reform following the release of the LIBE report drafted by MEP Jan Albrecht (Greens, Germany) in December. The event gathered stakeholders representing, inter alia, competitive technology and an NGO working on privacy issues, also of great concern for the health community.
Entitled ’’(R)evolution: The EU Data Protection Reform’’, the forum provided useful clarifications by MEP Jan Albrecht. He stated that he was working with the other Parliamentary Committees on amendments to the LIBE Committee report he had drafted; there would be a number of changes to existing articles and recitals. He also emphasised that there must be no doubt any more that data protection is a fundamental right as enshrined in Article 8 of the Charter of Fundamental Rights. There was consensus across party lines that a set of coherent rules is required in all sectors, which simultaneously strengthens the rights of individuals and competition. Strong data protection rules were the condition to achieve one standard in the EU Single Market. MEP Albrecht informed the audience that his goal is to complete the legislative process before the composition of the new Parliament. Crucially, from his perspective the reform does not represent a revolution but it is part of a global development towards stricter control of personal data, which required the definition of new principles such as ’’privacy by design’’.
Paul Nemitz, Director at DG Justice, recalled the Commission’s proposal released back in January 2012. He said that it had taken into account previous calls from Parliament to serve two objectives, namely to fulfill the promise of the Charter of Fundamental Rights, and to be a gross accelerator for building trust in providing personal data in the digital economy. Combined they provided the basis for innovation and successful roll-out. Europe’s ’’trust crisis’’ needed to be overcome, and companies working along the lines of the future Regulation would have a huge competitive advantage. Mr Nemitz also highlighted that Europe is perceived as a leader in data protection, and that more than two thousand US companies signed up to the ’’safe harbour’’ agreement, i.e. they are working to EU legislation. Key points for further discussion, which had already begun at an Irish Presidency meeting, were the right to be forgotten, data portability and sanctions. The purpose of the Data Protetion Reform was to shift the burden of personal data from the shoulders of individuals to those who make profits with it, without encumbering the latter to operate successfully. Hence most requirements, such as the right to be forgotten, merely involved communication obligations rather than technical solutions.
The next speaker, Anna Fielder of UK-based NGO Privacy International argued that the evidence base in favour of more data protection was clear but rarely discussed. People worried about issues including identity theft, cross-border transactions, lack of information about online rights and power enforcements. At the same time, business found it sometimes more costly to comply with the existing rules than not to. She pointed to the need for a clear notion of ’’consent’’ and argued that the debate in Brussels over data portability is dominated by concerns over companies’ IPR and trade secrets. She stated that lack of trust amongst consumers is a result of lack of transparency - a sound data protection framework could in fact help boost consumer confidence and thereby lead to growth and innovation. She also deplored the fact that online privacy rules are often written in complex legal language which makes it hard, if not impossible, for lay people to understand them.
Representing the Association for Competitive Technology, Greg Polad argued that data protection rules must work for innovative entreprises, especially SMEs. He said that the mix of fundamental rights and economic issues is always difficult to manage. However, business needs, such as the right to operate a company and the right to consumer protection, deserved a prominent place in the debate. SMEs required a real valid policy and complexity would be detrimental to the objectives of the Regulation. He also reminded the audience that Europe is not only facing a trust crisis, but a real economic one, and the new data protection rules would also need to stimulate growth.
Following the panel discussion, a member of the audience asked about the rules for online consent for behaviour-based digital advertising. MEP Albrecht made it clear that consent is always required for online content, but not the procedure. He stated that in fact everybody should be able to decide on how much of their data they are willing to expose online. Yet consent and privacy rules need simplification, which could be achieved through standardised forms and agreements, so that users would not have to give consent every time based on complex agreements they do not fully read or grasp. In response to a question about the requirement for a data protection officer for organisations processing data of 500+ subjects per year, Mr Albrecht explained that the requirement would be proportionate to the size and activity of the organisation and hence this function could be part-time or even shared in the case of SMEs.
EPHA will continue to monitor and engage in the Data Protection Reform and advocate its existing Position in line with the findings of the Seminar on Data Protection it organised in November.
For further information:
Original Commission proposal for a regulation
Full draft report by LIBE Committee
Economic and Social Committee opinion EPHA position on General Data Protection Regulation European Parliament’s LIBE Committee debates General Data Protection Regulation ITRE Committee draft Opinion