THE VIEWS OF STAKEHOLDERS ABOUT THE EUROPEAN DATA PROTECTION FRAMEWORK

Stakeholders concerned with data protection acknowledge the opportunity to modernize the European data protection framework. They believe it is in the interest of consumers and businesses alike to have an EU data protection framework that is robust, balanced, effective and future-proof. They believe that by fully harmonising EU data protection rules, the proposed Regulation would bring about increased legal certainty and would mark an improvement for businesses and consumers. They also support the creation of a lead Data Protection Authority (DPA) because it would bring necessary clarity and reduce burdens for companies operating in multiple EU markets. However, they also point out that the success of this approach will depend on cmplete applicable law and jurisdictional clarity and on clear requirements as to which DPA will be responsible. Indeed, they argue, the benefits of greater harmonisation could be outweighed by the costs of failing to strike the right balance between the protection of Europeans' fundamental right to privacy and data protection, and the promotion of innovation, competitiveness and growth in the Digital Single Market.

7 Key Issues for striking an appropriate balance

1. Personal Data Definition: The new definitions of "data subject" and "personal data" encompass potentially an unlimited range of information, from anonymised online identifiers to an individual's full name and address, their medical records and religious beliefs. In order to make this broad definition workable in practice, stakeholders propose to introduce a context based approach into the definition of personal data and the intentionality of the controller to identify the data subject. Two recitals recognize that context is a relevant factor in this respect, and that data which does not identify as a data subject is not personal data. These important limitations should be expressly reflected in the definition of "data subject". Stakeholders also believe that while pseudonymous data is covered by the definition of personal data, the Regulation should explicitly recognize its specificities and clarify how the general obligations can be adapted accordingly.

2. Explicit Consent: By requiring a single form of "explicit consent" for all categories of information (from the anonymous to the truly sensitive), the proposal would not allow for any differentiation between asking for people's consent to placing a cookie, collecting their full name and address, or recording their religious and political beliefs. This risks increasing "consent fatigue" and may lead people to automatically consent to anything, undermining the special care that should be applied in the context of truly sensitive data. Stakeholders propose a context-based approach to consent, permitting innovators to use different mechanisms to obtain consent that reflect how and in what contexts consent is obtained and data will be used.

3. Administrative Burdens: One of the objective of the review of the Data Protection Framework in Europe is to reduce the administrative burdens. This is a worthy ambition and one which harmonisation and deletion of the notification system go some way towards achieving, as noted in the Impact Assessment accompanying the Regulation. Care needs to be taken, however, to ensure that compliance with new provisions and concepts in the Regulation do not simply replace one set of burdens with another, which may be even weightier than the original provisions.

4. Technical Mandate: Privacy by Design: Privacy by Design should be considered a process for ensuring that data protection is carefully considered in the design and implementation of products and services and not based on prescriptive and specific technologies. Imposing design mandates on particular technologies would directly challenge the neutrality of the legal framework, would result in significant burdens and would hinder rather than promote user privacy and security, by creating single points of failure.

5. Data Processor/Data Controller: The future legal framework should provide for a clear distinction of the responsibilities of a data controller and a data processor. Blurring these will only bring more uncertainty, will not serve the harmonization objectives of the reform and is not the way to deal with the complexities of Cloud. The relation with data subjects is established and maintained by controllers and this is why the existing legal framework foresees direct responsibilities for controllers whilst the responsibilities of processors are left to be determined bilaterally between controllers and processors, depending on the circumstances. This current approach is well understood and has proven to be workable.

6. Sanctions: The Regulation takes a “one-size-fits-all” approach and applies the same sanctions to all types of violations regardless of their severity/harm and/or impact. This should be addressed. The text should specify that only the lead DPA can impose a single sanction per infringement and that it can be applied only to legal entities at national level or at EU level, rather than focusing on a whole group of undertakings at global level. It should be left to the discretion of the lead DPA to decide whether a sanction should be applied (and at what level).

7. European Data Protection Board: European data protection policy must be formulated in a transparent manner that reflects the views of a broad range of stakeholders. Therefore the new European Data Protection Board (EDPB) should follow the European Commission’s own Better Regulation initiative and be made more transparent and accessible by establishing a consistency mechanism open to other stakeholders’ input.