The General Data Protection Regulation- Issues for the Trilogue
The Centre for European Policy Studies (CEPS) in collaboration with TechUK and the Coalition for the Digital Economy (COADEC), invited Wednesday May 13th for a Digital Forum seminar entitled: “The General Data Protection Regulation- Issues for the Trilogue”. The seminar, divided in two parts, discussed the main issues related to the upcoming trilogue on the General Data Protection Regulation (GDPR) from the point of view of start-ups and entrepreneurs on the one side and policy experts on the other.
Panel 1: Challenges of data protection for start-ups and SMEs
The first panel discussion aimed at providing the policy experts present at the discussion, with an insider perspective. A team of entrepreneurs urged regulators to provide them with legal clarity and questioned the extent to which explicit consent should be balanced with legitimate interests for companies that want to develop useful solutions and personalised services to their costumers.
Nathan Salter (COO, OMG):
It seems that with the new data protection proposal, the scope of personal data is getting broader and broader. Types of data we never considered personal are becoming it. Data’s are becoming very sensitive involved in the new regulation.
The risk of a too restrictive regulation, that could hamper the development of the Internet advertising and marketing industry, a source of exponential growth in the EU, needs to be taken into account. We need to adopt rules on a case-by-case basis, distinguishing between innovative data analytics from aggressive profiling, unfair tracking and price discrimination practice.
Raphael Van Assche (Managing Consultant, Tunstall Healthcare):
My company provides technology enabled services, basically social alarm services, e-medicine or health management services to elderly people in Europe.
We collect data but we don’t use them for profiling activities, we just get the right information in order to support the people in the best way.
In order to enhance trust and confidence we really need to adopt an efficient data protection regulation, ensuring better perspectives for e-business development in Europe. A better harmonisation of the data rules around Europe would help to create a communitarian health database.
Andrey Dokuchaev (COO, Clausematch):
I’m representing a utility platform for contract negotiations. The adoption of the new GDPR would provide joint liability between data controllers and data processers. Additional requirements would potentially raise the costs and add burdensome procedures, becoming a major problem for start-ups.
Aneesh Varma (Founder, Aire):
My company provides access to financial products, therefore to warrant a financial service our profiling activities need to be accurate. Mobility for work is increasing; this raises the need for data to move with workers. Data should be used to drive financial inclusion.
Panel 2: Issues for the Trilogue
During the first panel we had the opportunity to hear and better get to know the point of view of a team of entrepreneurs giving us an insider perspective. The second panel discussion, focus on the other half of the medal: policy experts. Indeed, the Council and the European Parliament have conflicting positions on many provisions, including the sensitive “informed consent” issue, set out as a cornerstone by the EP. This principle foresees that users must be informed and explicitly express their consent about any activity aiming at collecting or processing their data.
We have been working on GDPR for a long time. I think that now we should say thank u very much to the Latvian presidency, as they open the possibility to start the trilogue discussions, hoping on a good institutional cooperation!
Indeed we are open for discussions, but remembering our work done until now. Combined with the review of the privacy directive, the adoption of the GDPR would shape a concrete continental privacy package, striking the right balance between business interests and user’s protection.
Moreover we should understand that there is no possibility to discuss on possible solutions, concerning the 16 initiatives presented in the DSM strategy without starting the implementation of the GDPR. I would also like to strengthen the point, that one of the 16 initiatives is focused on a privacy directive, underlining the need for Europe to have a privacy regulation. We need to prepare the conditions and framework for it’s implementation, and we need to consider if all the presented solutions will be implementable.
Speaking about data protection and data privacy we should think on a better balance between all the stakeholders and the possibility for business to implement it.
A new question should be put on the table: Who is actually the owner of Data?
Are we the owners as individuals, as public authorities, as businesses?
The answer is: everyone, not just businesses! It’s not all about business, there is indeed no possibility for our digital economy to further develop without a data regulation.
Let me conclude mentioning that during the trilogue it will be particularly important to focus on the following controversial points: Explicit and Non-explicit content, the right to be forgotten, profiling activities, One Stop Shop.
When talking about data protection regulation, we need to stress the importance of more harmonisation and better cooperation including all the stakeholders.
In some areas we need regulations in others we need conduct codes.
Kevin O’Connel (Member of Commissioner Vĕra Jourová’s Cabinet, European Commission) gave his own view on the evolution of the legislative process starting from the first Commission’s proposal in 2012. Indeed if the initial reform proposed focused more on empowering EU citizens, giving them better and clearer data protection laws, the new agenda, adopted by this College of Commissioners, includes also EU rules to improve regulations for SMEs and entrepreneurs. The regulation, currently under intense discussion, can be defined as a key building block for the launch of the DSM, and the GDPR as the most important variable of the whole DSM strategy.
In order to be successful, we need to be careful when adapting the directive, not inventing something new but enforcing and updating the existing things. As we are dealing with fundamental rights, we need to be very carefully.
Baiba Jugane (Justice Consellor, Permanent Representation of the Republic of Latvia), basically pointed out the achievements made under the Latvian presidency. The biggest effort, she said, was the agreement on the one stop shop mechanism for data protection.
Concerning the most debated horizontal issues, Chapter II relating on the principles of data processing, was the most crucial point. Indeed this chapter and its principles are still an issue on the table. Our intention is also to find a compromise on Chapter III.
Finally I would like to thank the other member States and Institutions for the trust expressed towards the Latvian presidency and wish good luck and a good work to the representatives of Luxembourg, which will take over the presidency.
Laure Wagener (Counsellor, Permanent Representation of Luxembourg to the Eu) congratulated her Latvian colleagues for the excellent work done during their presidency. Now it’s up to us to continue with the good work done until yet.
Concerning our presidency we will focus on two imperatives concerning the GDPR:
<!--[endif]-->We need to get it right!
We need to get the right balance between protecting data subjects and permitting or shaping the right conditions for businesses to work. It’s imperative to increase the level of harmonisation among member states! The data subject deserves more clarity and we will work in order to warrant the same level of data protection in the whole European Union.
<!--[endif]-->We need to get a workable solution: Easily enforceable and updated.
This is an opportunity to regain a leading position as a technology exporter not a consumer. New technologies and developments on the use of data do not need to be at the odds with the principles of data protection.
Time is another crucial factor, because we need to update the legal framework as soon as possible, otherwise it will be out-dated as soon as implemented. Technological progress moves on very fast. Getting the reform in place by 2015 is and will be our common goal.
When regulating and thinking about the potential text of the DSM, it’s important to think about all the stakeholders, including them all. The European companies need a clear legal framework in order to do their business and to do it the best way possible.
We have to deliver both of the things: Jobs and privacy.
The digital innovation can do great things for Europe, for the world, but needs the right legal framework to be able to express its whole potential.
The idea of proportionality is important, as there are many scenarios where this right is highly needed.
The other big question is the issue of consent, how do we avoid the situation of bothering people with the issues of consent? And how can we be sure, that people really pay attention to the legal terms?
Simplicity and clarity that’s what we need speaking about digital markets.
EU-LOGOS ATHENA “INSTITUTIONAL STRUGGLES CONCERNING THE GENERAL DATA PROTECTION REGULATION":
PROPOSAL ON THE GENERAL DATA PROTECTION REGULATION: