This article is part of our special report Data protection.
The European Commission will propose next year that companies must abide by the data protection rules of their country of establishment within the EU instead of applying different national laws of the states where they operate, as it is the case now.
Speaking to representatives of the digital industry, Commission Vice President Viviane Reding announced that in the data protection directive review to be published by the end of January 2012, the Commission will propose “a 'one-stop-shop' – one law and one single data protection authority for each business.”
The commissioner, whose portfolio incudes justice, said the applicable law should be the one of the member state in which companies “have their main establishment.”
Reding also reiterated her appeal for higher harmonisation of national rules. “We must strengthen coordination and cooperation between national data protection authorities to make sure that the rules are enforced consistently,” she said in her statement delivered yesterday (28 November) at the American Chamber of Commerce in Brussels.
This matches industry requests to “increase harmonisation by moving towards a country of origin approach,” according to a list of recommendations delivered yesterday to Reding by the recently formed Industry Coalition for Data Protection (ICDP), which includes such main operators in the digital environment as Microsoft Apple, IBM and Siemens.
In particular, the industry “encourages the Commission to streamline provisions on applicable law by introducing a country-of-origin principle. This country of origin could be the European member state where the main establishment of the data controller is located,” reads a common paper published yesterday.
Cutting red tape
The complex patchwork of national laws on data protection is considered a matter of concern not only by business but also by consumers, who fear that companies might profit from different legal regimes and abuse stored data.
That is why over 90% of Europeans interviewed in a Commission poll say that they want the same data protection rules applied all across Europe.
A more harmonised framework is also likely to cut red tape and costs for business, therefore potentially lowering prices for consumers. In fact, the fragmentation of the EU market when it comes to data protection rules causes an extra administrative burden for companies that the EU executive estimates cost €2.3 billion a year.
The industry has been long calling for a reduction of bureaucratic obligations, although this may risk lowering the protection for consumers.
However, Reding appeared ready to make concessions also in this field. “I want to drastically cut red tape by eliminating unnecessary costs and administrative burdens to create a more business-friendly regulatory environment," she said, vowing to "focus on those requirements which enhance legal certainty and are of real value.”
Nevertheless, there are elements of disagreement. A conflict, for instance, seems to emerge between the Commission and the industry concerning the possible introduction of specific provisions for different operators.
Brussels considers, for example, that online social networks might have complementary and specific rules to respect because of the characteristics of their users, which are different from telecoms customers.
Indeed, Reding underlines in her statement that there should be “one law for each business,” thus underscoring the differences amongst service providers.
The industry opposes a tailored approach. “We would not be supportive of a horizontal instrument supplemented by additional legal instruments focused on specific technologies or services as this would not provide the necessary legal certainty,” the industry's paper says.
Reding is also strongly advocating for the right of citizens to give their explicit consent to operators in order to enable them to use their data. “Individuals should be well informed about privacy policies and their consent needs to be specific and given explicitly,” she said again yesterday.
The industry wants instead a more flexible approach to this thorny issue, fearing that if required their consent too often, users may see their technological experience worsened.
“A modern approach to consent should allow for data controllers to choose the most contextually appropriate way of providing information, obtaining consent, and empowering data subjects by offering them control over their data,” the ICDP white paper says.