EU data package: Here’s what you need to know

On Tuesday January 10th 2017, the European Commission unveiled policy initiatives on data aiming to ensure stronger privacy rules and boost the EU data economy. This package, described as ‘the last major Digital Single Market initiative’ by Commissioner Andrus Ansip, includes three main pieces:

Regulation on Privacy and Electronic Communications

• The new privacy rules intend to address Europeans’ concerns about their privacy on electronic communications (computer, smartphone, tablet etc.). If the European Commission tried to find a balance between increasing consumers’ trust while boosting innovation, the regulation will have a significant impact on businesses (see note below for further explanations).

Communication on Building a European Data Economy

• The European Commission outlines in this document the general direction it intends to take to unleash EU’s data economy, expected to represent EUR 643 billion by 2020. It communication stresses the crucial importance of data flows for the European Economy across all sectors and lists legal uncertainties linked with data access and transfer, data liability and data portability. The Commission commits to collecting further evidence before taking any binding actions.

Communication on Exchanging and Protecting Personal Data in a Globalized World

• In this communication, the Commission sets out a strategy to promote international data protection standards and presents different tools to transfer data internationally. Building on new international data transfer rules adopted last year, the Commission also considered simplifying data flows to certain countries, by adopting decisions à la EU-US Privacy Shield, adopted last year. These countries include: APAC — Japan & Korea (2017), India (TBC) — and LATAM — Mercosur.
• This decision will only be adopted if the Commission feels confident that the country in question provides a sufficient level of privacy protection. Quite interestingly, one of the criteria set out to determine whether such a decision should be adopted is whether the country in question could “serve as a model for other countries in the region.” The Commission is clearly hoping to set out a global gold standard for privacy protection. In Justice Commissioner Jourova’s own words: “We have the highest data protection in the world because for us, privacy matters.”

This note provides an overview of the key elements and challenges arising from the first two initiatives. Please do not hesitate to contact us should you wish any further information.

5 THINGS TO KNOW ABOUT THE NEW E-PRIVACY REGULATION

Officially called ‘Regulation on Privacy and Electronic Communications’, the proposal complements the General Data Protection Regulation adopted in May 2016 and aims to ensure the same level of trust and security for B2B communication and communication between individuals. The e-Privacy regulation is an important piece of the Digital Single Market strategy and several elements must be highlighted:

1. A direct and binding effect

Once adopted, the e-Privacy regulation will have binding legal effects and will be directly applicable in all European Union countries with no need to be transposed into national law. It will create rights and obligations for individuals that can be directly invoked before national courts. Data Protection Authorities of Member States will be responsible for enforcing the regulation[1].

2. New rules for new players

For the European Commission, there was a great need to update the last version of the ePrivacy Directive dating back to 2009 as new actors ensuring inter-personal communications have emerged in the meantime. Initially, ePrivacy rules were only applied to telecom companies. Therefore, the main goal of this regulation is to extend its scope to new Internet based services, also called ‘Over-the-Top communications services’ (OTTs) by the European Commission. This will have a significant impact on online messaging applications such as Facebook, WhatsApp or FaceTime that will have to engage new costs to respect new privacy rules. Also, it is worth mentioning that although the Commission wanted to guarantee a level playing field for telecom operators when processing data, the regulation still imposes telco-specific restrictions on traffic and data location.

3. A pro-consumer regulation

Andrus Ansip clearly stressed that ‘consent of users is paramount’ in this regulation. Indeed, any activities linked with data and metadata processing (including intercepting, scanning, or storing) will require the users’ explicit consent. The regulation also seeks to give full control to users on their privacy settings. Regarding cookie warnings, users will not have to click on cookies banners anymore as they will set their own level of protection in their internet browser. Only a few exceptions do not require users’ consent: non-privacy intrusive cookies aiming to improve internet experience (e.g. login information for the same session) or cookies counting the number of visitors for a website.

4. The advertising sector highly affected

If the regulation does not prohibit online ads, it will have a significant impact on ad companies or website containing ads. Indeed, by giving an extensive control to users on their privacy settings, it will limit targeted online ads, threatening publishers that count on online ads as a source of revenue. Spam and direct marketing communications will be also conditioned on users’ consent. Companies failing to respect users’ consent could be fined up to €10 million, or 2 percent of their annual turnover.

5. Next steps

The Commission set an ambitious schedule, calling European legislators to ensure the adoption of the regulation by 25 May 2018, when the General Data Protection Regulation will enter into force.

5 THINGS TO KNOW ABOUT THE COMMUNICATION

1. The Commission is not introducing new rules… yet

• The Commission merely outlines in this document the general direction that it intends to take;
• Consultation is the order of the day. The Commission is now waiting to gather additional views and data to determine whether new rules will be necessary to boost the EU data economy.

2. There is a lot at stake

The Commission once again recognizes the crucial importance of data flows for the European Economy across all sectors, from manufacturing to transport, healthcare, financial services, agriculture and energy:

• The EU data economy is expected to represent EUR 643 billion by 2020[2];
• The wider adoption of cloud computing services could lead to a reduction of energy consumption and carbon emissions by at least 30 percent.

3. Four key questions raised… but left unanswered

Data localization — In a very welcome move for data-driven businesses, the Commission took a stand against data localization, that is measures that would require data to be stored or used in the country where it is collected:

• The free movement of data within the EU should be the rule;
• These measures, that currently apply in 22 EU Member States, are particularly burdensome for SMEs and start-ups, and imply significant financial investments. Removing these measures would amount to no less than EUR 8 billion per year in cost savings and efficiency gains;
• The Commission denounced the justifications of such measures, particularly misconceptions that data is more secure if stored locally and made an economic case for their removal. An argument that has been repeatedly put forward by industry. However, it remains to be seen after the consultation process, whether the Commission will eventually decide to counter such measures in Europe. At this stage, it will only consider whether they are proportional and justified.

Access to data — recognizing the substantial value of access to large datasets to innovate across different sectors e.g with data collected via Internet of Things, the Commission intends to explore ways to promote such access and data sharing in horizontal and sector-specific discussions.

Liability — In a world where factories, cars and everyday objects are connected, who should be held liable? Should it be manufacturers, operators or software providers? The Commission does not believe that current rules fully answer these questions. Alternatives will be explored in the consultation process.

Data portability and interoperability — Should new rules be adopted to ensure that non-personal data is easily transferable to other providers?

4. An inward-looking take on a global issue

• This is certainly a step in the right direction for businesses that the Commission acknowledges the importance of data flows for the economy, it appears that the Commission is taking an EU-centric view on this issue. No mention is, indeed, made of global data flows, although many might argue that the internet knows no borders, and that data flows are essentially global.

5. Next steps

• The Commission is launch a public consultation in the next three months.
• This will be the perfect opportunity for stakeholders to get their voice heard, and share additional data and evidence to inform potential upcoming EU measures.

What can you do?

• Keep an eye out for what happens next — All is not set it stone at this stage.
• Cut through the noise and make sure your voice is heard. Speak-up and ensure that the Commission, as well as EU policymakers negotiating new EU rules, understand what’s at stake for your business.

How can we support you?

• Be your eyes and ears on the ground — Our team can help you understand all the moving pieces in what is an extremely complex situation. Not only can we closely monitor these developments across Europe, but we can also analyze how they might impact your business.
• Connect you to the right people — Our team can connect you with those who will be instrumental in the coming months, be it directly or indirectly.
• Get your message across — We can help you refine your position on this issue and make sure your voice is heard by the right people through all appropriate channels i.e. traditional media, digital, etc.

[1] The full list of national Data Protection Authorities is accessible here.

[2] European Data Market study, SMART 2013/0063, IDC, 2016

Originally published at edelman.be on January 12, 2017.