More protection for EU citizens, but organizational costs for enterprises, with sanctions determined at the EU level – that, in a nutshell, is the EU Commission’s proposal for General Data Protection Regulation.
As for the form, the Regulation is the necessary step towards homogeneous privacy rules throughout Europe for the benefit of all stakeholders. The aim is to bring about legal and practical certainty for individuals, economic operators and public authorities. In this respect, data subjects will see their privacy and data protection right consistently protected throughout the 27 Member States; enterprises will avoid costs related to the implementation of different data protection rules in EU countries, possibly making Europe a more attractive territory to pursue economic activities; public authorities' cooperation within the EU will be improved for the benefits of EU citizens.
Looking at the substance, a few preliminary practical remarks on some key points. The scope of application of the Regulation extends to controllers not established in the EU that process personal data of EU citizens by providing products/services or monitoring their behaviour. It will improve protection for EU citizens only if the criteria to determine when a controller in fact deals with EU citizens are specified further.
We cannot agree more on the explicit obligation to provide data subjects with information regarding processing in a way that is easy to understand, clear and in plain language, especially towards children. In this respect, visual means such as privacy trust-marks or seals may contribute to user, and especially children’s understanding of the processing of their data.
A total privacy organizational model is provided for enterprises. In principle, we find it a very sound approach to enhance companies' awareness of the data processing they carry out, enhance data security and better identify responsibilities. We are, though, concerned about the complexity and the related costs, which can slow down implementation and undermine sustainability. Adoption of internal policy and mechanisms for ensuring compliance, privacy impact assessments, a mandatory data protection officer for large enterprises, notification of personal data breaches, the requirement for companies to maintain documentation on processing operations under their responsibility, respect for data subjects’ right to be forgotten (not an easy obligation to comply with!) and rules on data portability will necessitate a substantial re-organization of the privacy processes in most of enterprises, with a significant impact on the allocation of human and economic resources, funds for which will need to be found in companies' budgets.
The provisions on sanctions, to be determined at the EU level, together with a duty upon Supervisory Authorities for consistent application of data protection rules throughout the EU, is to be looked in a very positive way. It will give data subjects a meaningful means of exercising their rights in the EU, and to enterprises certainty with respect to the application of data protection rules.
A few remarks on the economics
The sanction structure envisioned by the European Commission could have a negative impact and alarm business players. In the case of companies that are data controllers, the sanctions can reach the 2% of global turnover. This is not the only concern. Organizations with more than 250 employees are required to hire a Privacy Officer. Does the benefit match the investment?
The privacy organizational model set forth in the Regulation could be a high cost for SMEs, to be added to the other obligations companies will have to comply with. SMEs are certainly the weakest actor in all of this, as they do not have sufficient strength to engage in dialogue with the Parliament and the Commission, unlike big corporations.
According to the Regulation companies that direct their services or offer their products to EU citizens/consumers will be subject to the EU rules, regardless of the principle of territoriality. This solution (at least in theory) answers a number of questions raised in the Internet and cloud computing environments, as well as in all those situations where we make use of outsourcing chains around the world.
The Commission has introduced the Regulation with the aims of creating jobs and fostering economic growth. This is questionable. More in-depth analysis of costs and benefits for companies will certainly be produced in the coming months. It is clear however that jobs and growth will not be obvious in the immediate term: the Regulation will be effective two years after being passed. How long will it take to be negotiated and voted by the Parliament, the Council, the Commission and the many stakeholders? A few argue 2 years; many even look at the new legislature.
Concluding, the Proposal for General Data Protection Regulation is clearly articulated and presents significant implications for controllers and processors. EPA, in its monthly Privacy Breakfast at the EU Parliament, will thoroughly verify their practical sustainability, which is needed to guarantee effective improvement of privacy and data protection for data subjects. Stay tuned following the outcome of our Privacy Breakfasts on the Regulation on our blog and Twitter.
Paolo Balboni - EPA Scientific Director email@example.com
Pietro Paganini – EPA Managing Director firstname.lastname@example.org