It was about time. Pre-internet rules on data protection were not fit for our new interconnected reality. The core institutions of the European Union have finally set in stone an agreement which represents an important step in the digital single market strategy launched earlier this year.
Businesses from all over Europe should be celebrating this agreement and thank the institutions for replacing the current patchwork of national laws with a single, pan-European regulation for data protection and unleashing benefits for European businesses – which allegedly could go up to 2.3 billion euros per year. Well… Businesses are not celebrating. Either they did not have the time to go through the 209 pages of the leaked text of the agreement, or maybe they have nothing to celebrate about.
The new law has significantly toughened up the data protection regime in a way which is likely to deter businesses from data innovation. First of all, the scope of the regulation has been expanded. It now applies to companies inside and outside of EU. Even if personal data is processed outside the EU by companies established outside the EU, as long as they are active in the EU market and offer their products and services to EU citizens, these companies will be bounded to EU data protection regime. This creates inherent conflicts of jurisdictions for businesses, which might find themselves stuck between the obligation to protect the data of citizens of one country and the requirement to disclose data pursuant national security obligations in another country. Experientia docet here. The US Department of Justice (DoJ) has recently demanded Microsoft to access emails held on a Hotmail server in Ireland. As much as the DoJ claims the right to access the emails of anyone in the world from any email provider headquartered within US borders, Microsoft is strong in its position that the DoJ is exceeded its authority.
Another addition of the new European regulation is that data processors become jointly liable with data controllers for data breaches in the EU. As a result, data processors would need to conduct risk assessments for each customer and intended processing activity, and all service providers which handle personal data will need to renegotiate contracts with data controllers to make sure liability is properly allocated. Moreover, in case of a breach, the processor has the onus to prove that “it was not responsible for the event giving rise to the damage”. In practice, a consumer could upload files to a cloud storage service where the files contain personal data regarding other people, who might then attempt to sue the cloud provider if the files are breached, whoever caused the breach, thus multiplying the processor’s potential exposure.
This will imply an increase of costs which might deter cloud providers from entering the European market and, in turn, create a serious barrier for the development of Internet of Things solutions – which, by the way, is a priority in the DSM strategy. This new regulation, which also requires an “unambiguous” consent for data to be processed (with the clarification in the GDRP text that this requires a “clear affirmative action”), might seriously deter diffusion of IoT solutions in the EU.
I am not sure whether this was the effect intended by our regulators, but the private sector is already voicing that: “[This] will increase significantly the amount of information exchange between controllers and processors, not only increasing the transaction costs in the market but also exposing data subjects and business to increased amount of data breaches, cyber security risks, and corporate espionage due to increased amount of insider knowledge about processing,”
Companies that will not abide to these rules will face sanctions up to 4% of their global turnover. If we consider that the average net profit margin for IT services providers is slightly above 9%, a sanction of 4% of the turnover can easily (or almost certainly) put a company out of business. Viviane Reding (current MEP and former Commissioner for Justice, Fundamental Rights and Citizenship) pointed out that: “When companies do not abide by the rules, they will face consequences. As we are no longer speaking of about fines to the tune of 50,000 euros, but rather 50 million euros, it will soon be crystal clear also for non-European companies that European law is to be taken seriously in Europe”. The problem with this statement is that it assumes either that the European market is essential for certain companies or that we do not need the investments and innovation coming from non-European countries. In times when the European Union is struggling to catch up with the digital revolution, nothing could be further from reality.
The new law also sets an increase of the age of consent for data processing up to 16 years (which Member States have individually the possibility to lower to 13 years). This means that the friend of mine in the video below – who is successfully working on a line of commercially available 3D printed glasses and is teaching 3D printing and coding to kids – would need to ask to his parents permission to open an email account…
The digital age is about freedom, about eliminating barriers for people to access knowledge, information, tools and mentors and, above all, is about empowering everybody to take an active role in society – even at the age of 13. This measure simply misses what the digital revolution really is all about.
Another aspect of the regulation which raises concerns relates to the definition and treatment of health data. The new law defines health data very broadly as “all data pertaining to the health status of a data subject which reveal information relating to the past, current or future physical or mental health status of the data subject; (…)”. It is therefore likely that almost any data collected through a lifestyle app or wearable device would be subject to the strict regime of sensitive data – hampering innovation in one of the most thriving markets of digital technology. Moreover, the newly agreed strict privacy by design and default requirements will affect the development of these devices and any eHealth and mhealth service that collects and processes personal data. However, the new regime for processing of health data has not been agreed yet and the exemption provision for processing of personal data concerning health (article 81) will be subject of further voting.
Among other points, the GDPR makes mandatory for companies to have a Data Protection Officer – except in the case of SMEs which do not have data processing operations requiring ‘regular and systematic monitoring of data subjects on a large scale’ at the core of their business – and to carry on data protection impact assessment. The regulation also gives people the “right to be forgotten” and therefore to have their personal data removed if irrelevant or outdated.
The GDPR is de facto making European businesses less competitive (by increasing their cost of using efficient services provided by foreign companies), the European Union less attractive for investment, European citizens less likely to benefit from diffusion of innovation, while it is not necessarily adding to the protection of personal data. Together with the recent invalidation of the Safe Harbor, foreign businesses seem to be once again those who pay for the failure of inter-governmental dialogue to address outstanding issues on security. And while all attention is devoted at preventing foreign governments from spying on European citizens, European governments smoothly increase surveillance on their own citizens.