Digital Single Market saga continues: data protection, how to do it?

Several years after the presentation of the EU Data Protection Reform in January 2012, a political agreement has been reached between the European Commission, the European Parliament and the Council within trilogue meetings, a few days ago. The European Commission presented the first legal proposal for the Digital Single Market (DSM), seven months after publishing the DSM strategy. The proposals cover e-commence and copyrights rules with the purpose of having more efficient and simple cross-border rules. The new rules will be formally adopted at the beginning of 2016 with a transition period to prepare implementation in two years.

A directive dating from back 1995 is not for sure up-to-date with the increasing developments of the Internet and how individuals use it. This explains the importance of having a solid harmonisation of the rules, as the Internal Market has become more interlinked than ever. 

If e-commerce has significantly boosted, consumers may not be aware of all the consequences, rights and threats behind a simple online sale for their privacy. 

This is why it is important to have legal certainty, clarity and consistency on the implementation and enforcement of the rules and to have all national authorities with equal resources and powers available to deal with complains and control the use of personal data.

 (1) E-Commerce Europe

Within a challenging digital environment, we lack of a high degree of harmonisation and of necessary efficiency to ensure the right to personal data protection. 

Data controllers face a fragmented legal framework which has created legal uncertainty and uneven protection for individuals. Meanwhile, the Court of Justice (CJEU) has stated on several cases regarding the existing legal gaps that companies or individuals try to deviate in order to have access or store personal data. On 6 October 2015, through the Safe Harbour decision the Court of Justice stated that, in the light of the Charter of Fundamental Rights of the European Union, a third country, such as the United States, do not ensure an adequate level of protection for personal data. For this reasons a national supervisory authority of the EU may not be discharged of examining an individual claim of personal data transfer from a Member State to a third country when the individual contends that the law and practices in force in that country do not ensure an adequate level of protection.

As it is known for many years, the level of personal data protection in the United States, for example, is very low and national authorities may have a privileged access to them. For this reason, the European Union must keep its high standards of protection, to ensure the respect of the fundamental rights of the EU citizens.

 (2) Special Eurobarometer 431, Data Protection, published June 2015

The objective is to strengthen the rights of individuals, providing them more control over their personal data, with an easier access to data, the 'right to data portability' between service providers, the 'right to be forgotten', and more response with regular communications with the national supervisory authorities on serious data breaches. These measures will require from the businesses to take more seriously the European rules and adapt very carefully the current practices, through more transparency on the use of their customer's data. The idea is also that citizens become more aware and empowered about the existing means to guarantee the protection of their rights. When requiring information from the companies about their personal data, the regulation must limit the number of exceptions of refusal by the company to only situations involving criminal matters or express requirements by the supervisor national authorities. The complaints can be filed in the citizen's home country rather than the country where is situated the headquarters of the company. This measure gives more proximity to citizens to find solutions to their complains. The disputes will be settling at a higher stage by a new European Data Protection Board. Individuals will have access to more control over their data and its use, at the same time that companies that don't comply with the rules will face fines up to 4% of global sales.

Consumer and civil rights NGOs recognise the importance of the reform but make clear that if the new regulation is not perfect, there is a strengthen of the consumers fundamental rights on the protection of their personal data. On this sense, a risk remains that the national regulators will still interpret the rules differently. On the other hand, business associations consider that the regulation will entail more bureaucratic complexity to the treatment of cases within the national authorities and longer procedures of law enforcement. (3)

Regarding liability, the difference between data controller and data processor will be better established, because as the latter is not liable today, it will be according to the new regulation. This aspect brings more responsibility to companies dealing with personal data while processing and transmitting them to national authorities. On this sense, the formulations about the exact meaning of some of the terms are crucial so that supervisor and courts can be able to understand and interpret the practices taken by a company when collecting data.

Therefore, the companies have been complaining about the structural costs on the management and the processing of the data that will increase, and the adaptation of the structure of the company to the requirements to be established by the regulation. For example, except for SMEs, big companied must have a data protection officer.

Because we are now living in an extremely digital society, the increasing number of the population using electronic tools and having access to the Internet has presented us with a strong need to have more protection. We have plenty of opportunities that can be found online and should be used according to secure and respectful practices by all. They need to be developed in order to achieve better results in a diversity of areas, such as health, education, employment, etc. 

 A trustful environment for the use of open data must include the respect of strict security, privacy and data protection. 

Besides the typical case of e-shopping and the disputes raised between a company and a customer, we can think, for example, about crowdfunding. A new tool for funding a project or venture by raising monetary contributions from a large number of people via the Internet. The practice has a strong transnational aspect when considering false or misleading prospects for funding, tax evasion and money laundering that require international transparency agreements beyond the EU to ensure detection and accountability of fraudulent crowdfunding offers.

If the EU is engaged in improving the policy, on the other hand, citizens should also be more aware of the level of personal information that should be shared. In particular, children are now raised with little awareness about how to measure the necessity of sharing information online. Social media networks have put into light these aspects and the debate is not finished because the constant evolution of the digital and electronic instruments available to the society will rapidly surpass any regulation, with the creation of new platforms and ways to share information. However, the objective of the proposal of the European Commission remains the same, which is to guarantee that the companies respect the obligations that are established, and the citizens/customers will have a guarantee of respect for their rights.

Final Quote: ''Consumers’ personal data is a gold mine for many business sectors. The way the internet works means the potential to acquire, scour and use our data is enormous. To update this pre-Internet privacy law was much-needed and long overdue''., Monique Goyens, Director General of the European Consumer Organisation (BEUC). (4)