Towards a reform of the data protection regulatory framework
The European data protection framework needs to be modernised in order to keep pace with technological change and the growth in on-line services. A proposal for regulation is currently the subject of debate between European institutions and stakeholders.
The right to the protection of personal data is enshrined in Article 8 of the Charter of Fundamental Rights and in the Lisbon Treaty. The 1995 European Directive defines the European regulatory framework for data protection. It strikes a balance between an optimal level of personal data protection and the free circulation of this data within the European Union. The 1995 directive inspired the creation, within each Member State, of an independent body responsible for data protection.
However, in order to keep pace with technological change within the digital world and the spread of internet and on-line services use, the European Commission has decided to update this regulatory framework. To do this, it presented a proposal for regulation in January 2012 designed to provide more legal security via its immediate applicability. According to Jan Albrecht, MEP and Rapporteur for the data protection regulation, the aim is to follow the general guidelines already established by the current directive, whilst unifying the legal framework for data protection and making it more accessible.
In doing this, the Commission wants to encourage the development of the European digital economy and strengthen citizens' control of their personal data. For this, the regulation establishes the rule of "explicit consent" - or the "opt-in" by consumers for the use of their personal data by service providers, and prohibits the current practice of implicit consent, or the option of refusing this consent - the so-called "opt-out".
The "right to be forgotten" is also included in the regulation proposal, by which consumers will be able to demand that data controllers delete all their personal data and all copies or replications thereof, when there is no justification for keeping them.
In addition, the right to data portability, which is the transfer of personal data from one service provider to another, will be facilitated.
Finally, the expansion of cloud services is leading to the more frequent transfer of data to third countries. The regulation proposal stipulates that European legislation must apply if the personal data of an EU citizen is handled outside the territory of the European Union.
The Commission also wishes to bolster the number of investigations and sanctions by the data protection supervisor (investigations, audits, binding decisions, fines), as well as data processors' obligations.
The Group's position
The Group does not believe that the proposal to impose explicit consent ("opt-in") and to prohibit the use of implicit consent with the option of refusing this consent
("opt-out") is compatible with the expansion of digital services, and serves the best interests of the consumer.
The opt-out procedure is now well understood by end-users. It enables client data to be used to offer more targeted services: for example, certain digital business models are based on advertising in the form of banners and even video clips. If opt-in became the rule, the number of consumers whose data would be used to customise advertising messages to their needs would be lower than today, where the opt-out rule prevails. Consumers would be targeted by advertising spots with little interest for them, whereas the use of their personal data would result in advertising tailored to their needs. The same applies to television broadcasters, which have much to gain from offering services more in line with consumer behaviour.
Consumers could be protected by an opt-out mechanism, to be activated at any moment, and, in addition, for those who do not want their data to be used continuously, by a mechanism for deleting old data, like the one used to delete cookies or browsing history, so that their data is reset, without restricting the use of their new personal data in the future.
Furthermore, we think it would be difficult to oblige data controllers to transmit personal data "in an electronic format". Such a measure would have a major impact on the implementation of security rules and is not suited to all companies. Data controllers must be free to choose their own methods to exercise access rights and disclose this information.
We are clearly in favour of strengthening the right to data portability. Even so, the obligation to provide this personal data in a "structured and commonly used format" so that the person can send this data to another automated processing system could represent a considerable cost for companies, particularly as no impact study has been carried out to date.
The "right to be forgotten" is a key element of the regulation, and many citizens want this. However, it would be unrealistic to imagine that all companies would be able to oblige third parties to delete all data that has been previously published. It would be impossible to enforce such an obligation.
Furthermore, the increase in the number of prior consultation procedures by the data protection supervisor could make them very intrusive, which would result in the generalisation of the authorisation regime, which must remain exceptional. The fines stipulated by the data protection supervisor also seem disproportionate (some representing up to 2% of sales).
Finally, the appointment of a Data Protection Officer (DPO) for all companies with over 250 employees, which this draft legislation is proposing to make obligatory, should remain optional.