Changes in technology are raising more and more fundamental questions for our societies and the necessary adjustment of our legal framework balancing the current and future technological ecosystems and the protection of citizens’ rights. In fact, we are witnessing one of the most interesting periods of our era, mainly because the on-going technological revolution is posing stark challenges to founding principles of democracies around the world. Privacy is one of them.
The legislative reform on Data Protection within the European Union in this respect is awakening the interest and concerns of citizens and consumers, businesses, the economic sector at large and public administrations not only inside European borders but in other corners of the globe, mainly in the United States. And it is very normal since the Digital economy is global and legal traditions and policies are national and in the best cases regional.
In fact, the complexity of finding the ideal forward looking European framework which could balance a variety of different interests and the protection of fundamental rights requires the collaboration and opinions of all relevant actors involved. Some relevant reports have been discussed in the last days such as the OECD Report on Exploring the Economics of Personal Data, the ECIPE Report on the economic importance of getting data protection right or the CEPS Report on Online Personal Data Processing in the context of the EU Data Protection Reform.
Precisely, last week CEPS launched this very conscientious study prepared by the CEPS Task Force during the last months in which Telefónica has actively participated. The report does not provide a detailed analysis of the on-going EU Data Protection Reform. However, it consists on policy recommendations in the short-term with a view to the future General Data Protection Regulation and in the mid-term for a meta-governance approach to Privacy and Data Protection.
The striking technological innovation accompanied by new markets developments has posed new scenarios and dilemmas that the first generation data protection rules from 1995 cannot respond. Thereby European policymakers understandably face the challenges to provide digital confidence and trust in an information-rich economy for which personal data is an important input resource and to keep path with business ecosystems.
The CEPS Report on Online Personal Data Processing was launched in a very interesting debate by Mr Szostak, Member of Cabinet of Commission Vice-President Reding, Mr Buttarelli, Assistant Supervisor of EDPS and Mr. Rehse, Partner and Managing Director, Boston Consulting Group.
Buttarelli referred to the definition of personal data (anonymous versus pseudonymous data), stressing that pseudonymised data is by definition data relating to an identifiable individual, as the connection between the pseudonym and the identifying data is known to the data controller or to a third party. For the EDPS, pseudonymised data remains personal data and therefore falls within the scope of the Regulation.
Szostak gave an update on the state of play of negotiations, welcoming the efforts of the Irish Presidency in moving this file forward in parallel with the European Parliament. Szostak stressed the need to complete the negotiations within the mandate of this Parliament. Regarding the request of Council to expand the risk-based approach into the Regulation, Szostak commented that a risk-based approach should not apply to the principles of data protection or to the rights of individuals (Chapters II and III of the GDPR Proposal respectively).
We invite you to carefully read this document since the saliency of the new European regulation is of the most relevance for the present and future of the digital economy. Hereby we wrap up some of their useful recommendations in the short term:
- Resolve the legal treatment of online identifiers
- Ensure consistency in the definitions of controllers and processors and their respective obligations.
- Strengthen individuals’ consent in personal data transactions with an unambiguous separation principle.
- The ‘legitimate interest’ as a legitimate basis for the processing of personal data needs further clarification as well as defined boundaries in order to offer legal certainty to controllers and individuals alike.
- In exercising the new ‘right to be forgotten’ controllers should not be left in charge to balance conflicting fundamental rights.
- The scope of the new ‘right to data portability’ should be clarified.
- The one-stop-shop premise must be fully accomplished without depriving mutual assistance and joint operations of national DPAs.
- Sanctions should not be automatic and DPAs should be able to take into account commitments by controllers when imposing a fine.
- Inconsistencies between the future GDPR and the ePrivacy Directive should be tackled.
- The regulation should be further consolidated with the aim to obtain a single and clear policy.
In the Mid-term policy recommendations the report points out the convenience of:
- Fostering a culture of privacy and data protection
- Unifying online personal data processing rules as the fragmentation persists along the lines of the e-Privacy Directive.
- Measuring the privacy and data protection and their effectiveness in the information-rich economy.
The Report also contains a section focusing on the economic analysis of Data Protection with the aim to answer three questions:
- How can personal information be framed in economic terms?
- Why is market behaviour irrational and do consumers value privacy and data protection?
- What are the costs/benefits of Data Protection regulation?
Data protection is one of the major challenges we face, thereby to strike a balance among all interests at stake is the responsibility of all. Let’s collaborate!
Post written in collaboration with Paloma Villa, Public Policy & Internet Department, Telefónica S.A.