We are a group of 21 European companies, from SMEs to Global Multinationals and non-profit organisations operating in a variety of sectors on a national, regional and global scale. We operate across different sectors of the economy, but we are all present in the digital economy both within and beyond the borders of the European Union (EU). With an aggregate turnover (2015) of over € 222 billion and some 968,000 employees worldwide, our footprint allows us to bring growth, progress and jobs to the EU’s economy.
In 2014, we decided to establish the European Data Coalition (EDC) to provide a European business perspective to the legislative negotiations leading to the adoption of the General Data Protection Regulation. Although different, we are all united in our support of adequate privacy standards.
Before the GDPR becomes fully applicable in 2018, the EDC is keen to participate in the ensuing technical discussions between the Regulators and Industry with the objective of laying the ground to a promising EU data-driven economy. Collectively, we are convinced that in order to fulfil the necessary conditions for a competitive and prosperous EU digital market, we need clear, predictable and practical provisions, open cross-border data flows, balanced codified sanction guidelines, an effective one-stop-shop and the absence of overly prescriptive rules.
In 2016, according to the Boston Consulting Group, the digital economy in the G-20 economies is worth $ 4.2 trillion (up from $ 2.3 trillion in 2010). To put this phenomenon into perspective: if the digital economy was a country its GDP would rank 5th globally behind the United States, China, Japan and India, but ahead of Germany.
By 2015, the World Economic Forum predicts that the combined value to society and industry of digital transformation across industries could be worth $ 100 trillion, with society set to gain more than business.
According to Oxford Economics, ICT generates bigger growth returns for productivity than virtually all other forms of capital investment. Moreover, the OECD has found that the probability of innovation increases with higher levels of ICT use, both for manufacturing and service companies and for different types of process innovations.
Sustained digitisation of non-ICT sectors, public administration and society as a whole largely depends on the ability to collect, process and analyse data. Processing is the backbone of the digital economy, the digital society and the foundation for the future knowledge-based economy and innovation society.
Our aim is to contribute to a progressive implementation of the GDPR and, in particular, to provide real life experience and advice on:
For these issues, the implementation phase will be crucial for developing guidelines for businesses regarding their obligations under the new legislation, for example on the conditions under which data portability (Art. 20) is mandatory. Guidelines will be helpful in ensuring a sensible interpretation of these provisions avoiding excessive costs, without benefits for the consumer.
In addition, guidelines and proposals are needed to ensure the maximum possible level of harmonisation is achieved in terms of data processing conditions (Art. 6). So that companies know how to achieve legal compliance, clarification on the conditions for consent (Art.7) are necessary.
The implementation phase must be used as an opportunity to provide clarity on a number of procedures the new regulation obliges businesses to go through. These include recommendations on the situations in which data breach notifications (Arts. 33-34) are necessary and on the content of data protection impact assessments (Art. 35).
The Article 29 Working Party will be renamed as the European Data Protection Board (EDPB), gain new competences, particularly under the one-stop-shop mechanism, and most certainly have a new budget, allowing it to ensure consistency throughout the EU. Further clarity is still necessary on the full scope of its competences (Arts. 68 and 70). In addition, a chief economist function should be created within the EDPB (or the EDPS), in order to ensure that the full scope of objectives as laid down in the GDPR and related primary EU legislation are pursued in a balanced manner, and that Better Regulation principles are adhered to.
New sanctions to be administered by Data Protection Authorities are created under the GDPR (Art. 83). During the transitional phase, the application of sanctions across EU Member States needs to be based on a predictable process that takes into account both the specificities of the case and mitigating factors, as well as other procedural steps and warning signs. Fines cannot constitute a first step following noncompliance.
The accepted standard for documentation for data processors and data controllers to prove their compliance with the GDPR needs to be clarified and harmonized at an EU-wide level (Art. 82.3). Such standards will help both the data processor and data controller to ascertain whether the required controls have been fulfilled. It will also ensure that the processor is not jointly and severally liable only due to lack of acceptable documentation.
Following the spirit of the GDPR (Arts. 40 et seq.), the transitional phase can be an effective period for the promotion of codes and conducts among businesses. Unified tools and the support of the relevant authorities could greatly accelerate this process.
Member States are able to adopt specific rules on the management of data in an employment context (Art. 88). In order not to lose the benefit of harmonization across the EU brought about by regulation, the Article 29 Working Party should be encouraged to ensure the greatest level of consistency in this matter.
The GDPR contains several derogations and exemptions regarding the restrictions to obligations, data protection rights and certain specific processing situations. This is likely to result in a harmful degree of variation across the EU, demanding from European companies operating across the EU, a permanent adjustment to different approaches adopted nationally by the Member States. In keeping with the aims of an EU regulation, it will be very important for the EC and the EDPB to promote the greatest level of consistency and avoid the unnecessary costs of further fragmentation.