Christmas is around the corner. On 25th December, we will all be celebrating. On 25th January 2012 European Commission put forward legislative proposals for an ambitious Data Protection Reform: almost four years, 47 months have been necessary for Legislators to reach an agreement on how this reform should look like.
In this period, the debates around privacy and data protection have left the very specialized circles of Lawyers and Law makers to become a subject of general discussion. In today’s world, as data permeates everything we do in our digital lifes and touches all public and private organizations, data protection merits more and more public attention (without mentioning that Snowden revelations were like a bomb in the already very tense debates). Data has been defined as the “new R&D” for 21st Century Innovation Systems. And when many say data is the new oil, OECD recent study on Data Driven Innovation considers data as an “infrastructure”[1].
The main goal of the Regulation was to achieve a comprehensive framework technologically neutral, future-proof and flexible enough to allow the development of new services in Europe while maintaining Europe’s high standards in the protection of personal data.
Will the new Regulation be able to fulfill these high expectations?
The political agreement reached between the European Parliament and the Council on 15th December is fruit of long negotiations and compromises. It cannot satisfy everyone. The agreement has been accused of failing to stimulate competitiveness or being an additional factor for Europe’s “sad spiral of digital self-destruction”. But, at the same time, it has been accused of lack of ambition and that it has just achieved the bare minimum data protection standards considering the current political scenario. The Luxembourg Presidency, which has been leading the negotiations with European Parliament since July, is very aware of the critics and this is probably its strength: it must be a compromise.
And in fact, the most important success of the Regulation is the fact to be there:
– The Regulation will contribute to achieving harmonization within the EU and to creating a consistent experience for all consumers across the Digital Single Market, no matters the country of the consumer or the provider (territorial harmonization).
– The Regulation will apply to companies established in the EU, but also to companies not established in the EU offering goods or services to EU citizens (enlarged territorial scope).
– These two elements are very important steps towards a level playing field. But, unfortunately, there is third element (service neutrality) that the reform has not tackled.
The GDPR has missed a unique opportunity to achieve a fully technologically neutral legal framework (one of the main objectives of the reform). As long as the ePrivacy Directive coexists with the GDPR, there will be no real level playing field.
Against a background of global convergence and competition in innovative services, the co-existence of the e-Privacy Directive and the GDPR is incompatible with the principle of sector and technological neutrality. Europe needs to address without delay this example of asymmetry, otherwise the result is bad for both businesses and consumers, as consumers will continue to face inconsistent privacy experiences for functionally equivalent services.
A swift review of the ePrivacy Directive, aimed at ensuring that consumers enjoy consistent rules, irrespective of the provider of the service (same services, same rules), is more important than ever and it has been recognised so by the Digital Single Market Strategy. Therefore, the Commission should take urgent steps to ensure that the length of time during which these legislative inconsistencies exist is minimized to the greatest extent possible.
GDPR will become applicable two years after its formal adoption in Spring 2016. We have ahead of us two years until Spring 2018 to undertake a fundamental review of the ePrivacy Directive.
In this line, for the European Data Protection Supervisor (EDPS) it is clear that the ePrivacy Directive will have to be amended and that a clear framework for confidentiality of communications is necessary as this is an integral element of the right to privacy, which governs all services enabling communications, not only providers of publicly available electronic communications. Otherwise, EDPS considers the reform package will be incomplete. EDPS Opinion 3/2015 published this summer stated: “This must be done by means of a legally-certain and harmonising regulation which provides for at least the same standards of protection under the ePrivacy Directive in a level-playing field”.
[1] OECD book on “Data Data-Driven Innovation: Big Data for Growth and Wellbeing”