Out-Law News | 17 Dec 2015 | 4:32 pm | 4 min. read
Groups including the Industry Coalition for Data Protection (ICDP), Interactive Advertising Bureau Europe (IAB), European Telecommunications Network Operators' Association (ETNO) and the Confederation of British Industry (CBI) are among those to have raised concerns with the new rules.
On Tuesday, the European Parliament and the Luxembourg presidency of the Council of Ministers, on behalf of national governments in the EU, reached a deal on the wording of a new General Data Protection Regulation (GDPR) and a new Data Protection Directive for police and criminal justice authorities.
The package of reforms will replace the existing Data Protection Directive and, in the case of the Regulation, set a single data protection law with effect across the EU. Businesses based outside of the trading bloc will also be subject to the new rules in certain cases. The new framework has still to be formally adopted but is likely to have effect from early 2018.
On Thursday the Civil Liberties Committee at the European Parliament endorsed the texts. The Parliament as a whole is expected to vote on whether to adopt the rules in either March or April, the Committee said.
The ICDP, which represents business groups such as the European Internet Services Providers Association, World Federation of Advertisers, the American Chamber of Commerce to the EU and the Japan Business Council in Europe, said the new rules pose a risk to the EU's plans for growth in digital markets.
"We are very concerned that investors will be scared off from investing in Europe and will build the next big thing in technology elsewhere, like Asia," said Sébastien Houzé, secretary general of the Federation of European Direct and Interactive Marketing (FEDMA) on behalf of the ICDP. "European legislators have clearly underestimated the EU citizen’s demand for data driven services. Having failed to strike the right balance between data protection and inspiring the digital industry, we are afraid this is a major setback to the future of the European digital economy."
The ICDP said that business groups could decide to develop and provide new services in other parts of the world prior to or instead of bringing them to Europe as a result of the new data protection framework. It said that SMEs are likely to be "hurt" by the new regime because "the long list of data related requirements under the new rules will overburden smaller companies".
The ICDP said that it will look to Europe's data protection authorities to adopt a "pragmatic and forward-looking interpretation of the text" and said it hopes the new European Data Protection Board "will show the necessary openness in order to achieve our joint goal of protecting personal privacy and enhancing European competitiveness".
Townsend Feehan, chief executive of IAB Europe, said the agreed data protection framework "is a triumph of populist rhetoric over common sense”.
"The agreed text is full of legal uncertainty, red tape and restrictions which will have the exact opposite result of making Europe ‘fit for the digital age’, as the supporters of the privacy deal struck … claim they aim to do," IAB Europe said in a statement. "Instead it will limit feasible business models and reduce the availability of information and services on the internet."
Allan Sørensen, IAB Europe board member said: "Legal uncertainty and big fines are a toxic cocktail, companies will have little choice but to impose annoying requests for consent every time a user accesses their website. Europe remains a regulatory minefield which means that new data-driven innovative services and products will continue to come to European consumers much later or not at all, and if they come they will be offered by more competitive companies [based outside of Europe]."
ETNO said that providers of electronic communication services will be subject to "double regulation" under the GDPR because those companies are subject to additional data privacy rules set out in the EU's Privacy and Electronic Communications (e-Privacy) Directive.
"We have missed the opportunity to repeal the e-Privacy Directive and include the relevant principles in the GDPR. Europe needs to address this regulatory asymmetry without delay. This can support innovation and growth in its convergent digital markets. For this reason, ETNO urges a swift review of the e-Privacy Directive, aimed at ensuring that consumers enjoy consistent rules, irrespective of the provider of the service," it said.
Matthew Fell, the CBI's interim chief policy director, warned that the data protection reforms could hinder data analytics in areas such as health research.
"From driving research and development in healthcare to powering our free social media and search platforms, data analytics is a vital part of modern business," Fell said. "This new legislation could hamper that with unnecessary administrative burdens and costs, like mandatory data protection officers, placed on firms of all sectors and size. Businesses now need clarity from policymakers and regulators on what actually applies to their business so that they can mitigate the burden and cost of compliance as quickly and effectively as possible."
UK information commissioner Christopher Graham said that it would be a priority of his office next year to "do all in our power to ease the introduction of the new rules – for data controllers and data subjects alike".
"Our approach to regulation begins with clear advice and guidance," Graham said. "We will focus on the new elements first, whilst remembering that there is much in the new regulation that will be familiar to us – the new principles are pretty much the same as the old ones. Our work will be informed by listening and learning about the challenges posed by implementation."
Editor’s note: Allan Sørensen’s words were attributed to Townsend Feehan in a previous version of this article. We apologise for the error.