These comments were contained in a position paper that the GPA submitted to the European Commission, as part of a consultation on the implementation of the 1998 Data Protection Directive.
In its paper, the GPA suggests that transborder data flows should be simplified and “better facilitated” through industry self-regulation and codes of conduct.
The GPA also points out that the Directive “fails to provide sufficiently clear and workable criteria for determining the legal regime applicable to data processing activities”, and claims that the risk of “simultaneous application of several different regimes” increases the costs of compliance.
The GPA further believes that the application of the Directive to internet-only contracts from outside the EU is “unworkable”, and that Member States’ data protection laws should not apply based solely on accessibility by an individual to a web site.
Finally, the GPA finds that EU law makes it “extremely time-consuming, expensive and burdensome” for US companies to store business data of European citizens, and suggests that only “truly” personal data and not business contact data should fall within the scope of the Directive.
The GPA comments will feed directly into the European Commission’s data protection conference, which will finish later today.