The document discusses key issues for the upcoming trilogue negotiations on the General Data Protection Regulation (GDPR). It summarizes TechUK's position on several major outstanding issues including profiling, consent requirements, purpose limitation, legitimate interest basis for processing, joint liability, the one-stop-shop mechanism, and sanctions. The GDPR will be crucial for Europe's digital economy and balancing citizen and business interests. TechUK urges negotiators to take a balanced approach to finalize a workable framework fit for the digital age.
The document discusses key issues for the upcoming trilogue negotiations on the General Data Protection Regulation (GDPR). It summarizes TechUK's position on several major outstanding issues including profiling, consent requirements, purpose limitation, legitimate interest basis for processing, joint liability, the one-stop-shop mechanism, and sanctions. The GDPR will be crucial for Europe's digital economy and balancing citizen and business interests. TechUK urges negotiators to take a balanced approach to finalize a workable framework fit for the digital age.
The document discusses key issues for the upcoming trilogue negotiations on the General Data Protection Regulation (GDPR). It summarizes TechUK's position on several major outstanding issues including profiling, consent requirements, purpose limitation, legitimate interest basis for processing, joint liability, the one-stop-shop mechanism, and sanctions. The GDPR will be crucial for Europe's digital economy and balancing citizen and business interests. TechUK urges negotiators to take a balanced approach to finalize a workable framework fit for the digital age.
The document discusses key issues for the upcoming trilogue negotiations on the General Data Protection Regulation (GDPR). It summarizes TechUK's position on several major outstanding issues including profiling, consent requirements, purpose limitation, legitimate interest basis for processing, joint liability, the one-stop-shop mechanism, and sanctions. The GDPR will be crucial for Europe's digital economy and balancing citizen and business interests. TechUK urges negotiators to take a balanced approach to finalize a workable framework fit for the digital age.
BUILDING A GENERAL DATA PROTECTION REGULATION FOR THE DIGITAL AGE
TECHUK BRIEFING ON KEY ISSUES FORTHCOMING IN THE TRILOGUE
September 2015
Europe is entering a crucial stage in the General Data Protection Regulation (GDPR) negotiations, where it is essential not to lose sight of what matters to both EU citizens and businesses to unlock the full potential of the digital economy. The GDPR will either underpin or undermine Europes digital economy and define Europes wider ambitions for jobs and growth.
The trilogue negotiations between the European Council, Commission and Parliament represent an important step forward in Europe's efforts to build a modern and workable framework fit for the digital age. The EU needs to finalise the GDPR to unlock the true scale of the Digital Single Market and enable the full potential of innovative data use for the benefit consumers and industry.
Europes data protection regime can achieve the twin goals of making it easier for citizens to understand and manage the use of their own data; and provide the more harmonised and predictable regulatory environment that small businesses need.
During these critical negotiations, all parties should recognise the immense impact the final regulation will have on innovative small and scaling European businesses. It is vital that the final regulation continues to allow these businesses, which are critical to creating new jobs and growth, to innovative and scale.
With these ambitions in mind there are a number of core issues that remain to be resolved. Now is the time to ensure that we get the GDPR right. As such techUK has presented its key redline issues to help the negotiators achieve a balanced GDPR that is fit for the digital age.
PROFILING (CHAPTER I & II)
Profiling, and automated decision making based on profiles, are key instruments to offering personalised services and harness the power of data to improve lives.
Profiling, both with and without direct human intervention, is important for everything from fraud prevention and credit assessments to booking holiday insurance and traffic-data analytics. The Councils language on this issue is a welcome intervention. It will help business provide innovative solutions while also protecting citizens from excessive requests for consent for routine non-sensitive activity, which may lead to consent fatigue and weaken the value of meaningful consent as was seen with the Cookies Directive.
The negotiators should accept the Council position on profiling in Chapter I & II.
Many smaller business use profiling to unlock the benefits of big-data which are vital for Europes economic growth and job creation.
CONSENT (CHAPTER I & II)
Consent provides one of the strongest legal basis for processing of data and acts as a critical interconnect between the data subject and the data controller.
However, the Parliaments requirement for explicit consent in all matters would not only undermine digital business models but could weaken the value of consent for consumers. Users would be continually subject to requests for consent and could potentially begin to consent without consideration, which would result in explicit but meaningless consent and weaken the value of consent through consent fatigue reflecting the outcome of the cookies directive. 1 Instead the negotiators should recognise that different types of consent is needed for different types of data processing.
The Councils proposal for unambiguous consent should be adopted as it provides a high level of protection for consumers for routine data processing activities, as explicit consent will still be needed for sensitive data
The distinction will allow companies to specifically flag certain high risk processing activities to consumers. If explicit consent is needed for routine and day-to-day processing activities, it will lose its current awareness- raising function for more sensitive types of data use, leading to less informed, aware and protected individuals
Additionally, the requirements of explicit consent would require the collection, storage and processing of additional personal data to ensure organisations are in compliance with the stringent requirements that an explicit consent regime places on companies. This would take the form of forced log-ins, which would run counter to the original aims of the regulation.
PURPOSE LIMITATION (CHAPTER II)
A foundation of profiling is the purpose limitation principle, which should allow for the beneficial use big data and big data analytics, especially where data is pseudonymised / anonymized, or where there is no risk of harm to individuals.
The further processing of data based on compatible purpose is a strong basis for companies to using these techniques, based on reasons that are compatible with the original consent.
The Council amendments on purpose limitation are to be welcomed as they take into account the wider context, range of services and benefits consumers can access with simplicity and ease based on its use. Compatible purpose allows for business to offer new services in a simple, convenient and streamlined fashion to complement user experience.
For example, opportunities to build a cleaner and more sustainable energy grid via SMART meters will be deeply affected. The Council text will allow energy provides to measure and profile its consumers usages to determine which of its consumers would benefit from a new services or offering.
LEGITIMATE INTEREST (CHAPTER II)
Legitimate interest provides a strong legal basis of European data protection law and underpins the future of the data economy. It is both an enabler of data-based business models but also a tried and tested safeguard for protecting the interests and right of data subjects. It is used to fulfil a range of regulatory requirement from anti- fraud checks, credits checks and to offer a range of financial products.
Legitimate interest currently provides a systematic and measureable method by which data controllers can carefully consider the effects the planned processing will have on the data subject. The Council text on Article 6 must be retained as vital enabler of the digital economy.
Negotiators should recognise the full importance and value legitimate interest plays in the digital economy. In particular, big data, analytics, mobile services and other innovations/growth opportunities across the digital sector are dependent upon the legitimate interest legal basis.
2 JOINT LIABILITY (CHAPTER VIII) The introduction of joint liability will create a complex legal environment in which citizens will become confused, disjointed and uncertain about who to go in the data value chain. The data subject will no longer be able to simply rely on their direct relationship to the data controller and may have to seek recourse from a variety of processors, who may be located either in and out of Europe. This will make it harder, not easier, for individuals to exert their data rights.
The language around liability (Article 77) needs to be reviewed and the introduction of processor liability should be removed.
The increased threat of liability for processors, will drive up assurance costs, as processors have to shoulder increased liability on their systems, which may ultimately be passed onto both the consumer and SMEs who utilise cloud based services as a means of providing and using services.
ONE-STOP-SHOP (CHAPTERS VI & VII)
The GDPR is a window of opportunity for the EU to provide an effective One-Stop-Shop that harmonises the work of national Data Protection Authorities (DPAs) and makes it simpler and easier for the business and citizens to navigate the data protection landscape. The current proposals in both the Council and Parliament texts do not meet these objectives of reducing bureaucracy to creating a more positive environment for European businesses to grow across member states.
SANCTIONS (CHAPTER VIII)
Financial penalties are the mainstay of a strong data protection enforcement. Sanctions and fines should focus on actors who intentionality, or as a result of gross negligence, cause specific harms to consumers or other businesses. The final text should move away from a one-size-fits-all approach by equipping lead DPAs to analyse instances of data breaches on a case by case basis taking into account the facts of the breaches and steps taken by the company. Given the size of potential fines, the trilogues should provide clarity on what entity the turnover cap is based upon.
Contact
Charlotte Holloway Shane Murphy
Head of Policy / Associate Director Policy Executive
