Reding winks at business on data protection review

Viviane Reding, now MEP, created the Rule of Law mechanism as Commissioner.

This article is part of our special report Data protection.

The European Commission will propose next year that companies must abide by the data protection rules of their country of establishment within the EU instead of applying different national laws of the states where they operate, as it is the case now.

Speaking to representatives of the digital industry, Commission Vice President Viviane Reding announced that in the data protection directive review to be published by the end of January 2012, the Commission will propose “a 'one-stop-shop' – one law and one single data protection authority for each business.”

The commissioner, whose portfolio incudes justice, said the applicable law should be the one of the member state in which companies “have their main establishment.”

Reding also reiterated her appeal for higher harmonisation of national rules. “We must strengthen coordination and cooperation between national data protection authorities to make sure that the rules are enforced consistently,” she said in her statement delivered yesterday (28 November) at the American Chamber of Commerce in Brussels.

This matches industry requests to “increase harmonisation by moving towards a country of origin approach,” according to a list of recommendations delivered yesterday to Reding by the recently formed Industry Coalition for Data Protection (ICDP), which includes such main operators in the digital environment as Microsoft Apple, IBM and Siemens.

In particular, the industry “encourages the Commission to streamline provisions on applicable law by introducing a country-of-origin principle. This country of origin could be the European member state where the main establishment of the data controller is located,” reads a common paper published yesterday.

Cutting red tape

The complex patchwork of national laws on data protection is considered a matter of concern not only by business but also by consumers, who fear that companies might profit from different legal regimes and abuse stored data.

That is why over 90% of Europeans interviewed in a Commission poll say that they want the same data protection rules applied all across Europe.

A more harmonised framework is also likely to cut red tape and costs for business, therefore potentially lowering prices for consumers. In fact, the fragmentation of the EU market when it comes to data protection rules causes an extra administrative burden for companies that the EU executive estimates cost €2.3 billion a year.

The industry has been long calling for a reduction of bureaucratic obligations, although this may risk lowering the protection for consumers.

However, Reding appeared ready to make concessions also in this field. “I want to drastically cut red tape by eliminating unnecessary costs and administrative burdens to create a more business-friendly regulatory environment," she said, vowing to "focus on those requirements which enhance legal certainty and are of real value.”

Possible frictions

Nevertheless, there are elements of disagreement. A conflict, for instance, seems to emerge between the Commission and the industry concerning the possible introduction of specific provisions for different operators.

Brussels considers, for example, that online social networks might have complementary and specific rules to respect because of the characteristics of their users, which are different from telecoms customers.

Indeed, Reding underlines in her statement that there should be “one law for each business,” thus underscoring the differences amongst service providers.

The industry opposes a tailored approach. “We would not be supportive of a horizontal instrument supplemented by additional legal instruments focused on specific technologies or services as this would not provide the necessary legal certainty,” the industry's paper says.

Reding is also strongly advocating for the right of citizens to give their explicit consent to operators in order to enable them to use their data. “Individuals should be well informed about privacy policies and their consent needs to be specific and given explicitly,” she said again yesterday.

The industry wants instead a more flexible approach to this thorny issue, fearing that if required their consent too often, users may see their technological experience worsened.

“A modern approach to consent should allow for data controllers to choose the most contextually appropriate way of providing information, obtaining consent, and empowering data subjects by offering them control over their data,” the ICDP white paper says.

European Commission Vice President Viviane Reding said: “Everyone expects a strong, consistent and future-proof framework for data protection, with consistent rules across all member states and across all Union policies. And I am determined to deliver.”

“The revision of data protection rules in the EU should enhance harmonisation and provide the legal certainty which will help deliver a fully functioning Single Market,” said John Higgins, director-general of DIGITALEUROPE, speaking on behalf of the Industry Coalition for Data Protection.

“In its effort to stimulate innovation and enable the EU to deliver on the promises of growth and jobs, Europe must encourage and enable companies to compete on the global stage by streamlining and simplifying the EU’s international data transfer rules,” concluded Higgins.

Thomas Boué, European director for government affairs of the Business Software Alliance said: “We’ve reached an important crossroads for Europe in the information economy. We can either harmonise today’s confusing patchwork of regulations for protecting data, or risk stunting the growth of important new markets like cloud computing. The Business Software Alliance has joined 10 other associations to offer a set of concrete recommendations that will help create a true Single Market for data through an approach that balances our shared interests in protecting data, promoting innovation and enabling a free flow of information.”

The existing European Union rules on data protection were adopted in 1995, when the full potential of the Internet had not yet been realised. According to the EU, in 1993 the Internet carried only 1% of all electronic information, while by 2007 the figure was more than 97%.

While the growing number of tailored products and services offers increased benefits for consumers, it also relies enormously on the use of personal data.

Private information can range from financial data, such as credit card numbers or bank account deposit details, to sensitive information concerning health conditions or sexual and political orientation.

The possibilities for misusing or abusing this information are infinite. The Commission has already flagged several ideas on how to improve data protection, through increased awareness of the data used and possible breaches of personal information; introduction of the right to be forgotten; clearer methods to require authorisation from data holders to deal with their personal information. 

  • End of January 2012: Commission scheduled to publish review of Data Protection Directive

Subscribe to our newsletters