The European Commission recently announced the final packages to be adopted under its Digital Single Market strategy: an initiative on the data economy and proposals for the review of the ePrivacy Directive and the protection of personal data.
The Digital Single Market strategy aims to tackle restrictions on the free movement of data for reasons other than the protection of personal data. The initiatives announced by the Commission are intended to remove the remaining barriers to the free movement of data within the Single Market.
The Commission’s initiative aims to enhance Europe’s data economy by dealing with unjustified restrictions on the free movement of data across European borders and clarifying a number of legal uncertainties. Data localisation restrictions prevent the flow of certain data across borders within the Single Market, stating that such data must be stored and processed within the relevant state. These restrictions may apply to privately-held data such as accounting documents, tax records or company records or to government and public sector data such as judicial records and national registries. The Commission hopes that providers and users of data-driven services, such as cloud computing, will benefit from a Single Market that does not unnecessarily restrict the flow of data across borders.
The Commission will hold discussions with Member States and other stakeholders on the proportionality of data localisation restrictions in order to gather evidence on the nature of such restrictions and their impact on businesses and public sector organisations. Furthermore, the Commission will launch enforcement actions and take further initiatives if necessary to address unjustified or disproportionate restrictions on data localisation.
Additionally, the Commission has identified a number of legal uncertainties arising from emerging issues in the data economy. It has launched consultations seeking policy and legal responses on the following issues:
- Data access and transfer. Wide use of non-personal machine-generated data can lead to great innovations, startups and new business models born in the EU.
- Liability related to data-based products and services. The current EU liability rules are not adapted to today's digital, data-driven products and services.
- Data portability. Portability of non-personal data is currently complicated, for example, when a business wants to move large amounts of company data from one cloud service provider to another.
ePrivacy and Data Protection
The Commission has proposed an update to the e-Privacy Directive which aims to amend the current rules to extend their scope to all electronic communication providers. The update also aims to “create new possibilities to process communication data and to reinforce trust and security in the Digital Single Market”, as well as align the rules for electronic communications with the newer and more stringent rules set out in General Data Protection Regulation.
The proposed rules have a number of key features:
- New players. The coverage of the e-Privacy Directive will be expanded from traditional telecoms operators to new providers of electronic communications services, such as WhatsApp, Facebook Messenger, Skye and Gmail.
- Stronger rules. By updating the e-Privacy Directive with a directly applicable Regulation, all EU citizens and businesses will enjoy the same level of protection.
- Communications content and metadata. Privacy will be guaranteed for both content and metadata derived from electronic communications, which will need to be anonymised or deleted if users have not given their consent, unless the data is required for legitimate purposes.
- New business opportunities. Once consent is given for communications data to be processed, traditional telecoms operators will have more opportunities to use data and provide additional services.
- Simpler rules on cookies. The so called "cookie provision", which has resulted in an overload of consent requests for internet users, will be streamlined. The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience.
- Protection against spam. The proposal bans unsolicited electronic communication by any means, e.g. by emails, SMS and automated phone calls, unless users have given their consent. This will in principle also apply to marketing phone calls unless a Member State opts for a solution that gives consumers the right to object to the reception of voice-to-voice marketing calls. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
- More effective enforcement. National data protection authorities (such as the Information Commissioner’s Office in the UK) will be responsible for enforcement of the confidentiality rules in the Regulation.
The proposals also set out a strategic approach to the issue of international personal data transfers in order to facilitate commercial exchanges, promote cooperation between law enforcement agencies and ensure a high standard of data protection. The Commission intends to discuss reaching “adequacy decisions” with key trading partners around the world, starting with Japan and Korea in 2017, allowing the free flow of personal data to countries with equivalent data protection rules to the EU. The Commission will also make use of the alternative mechanisms allowed under the General Data Protection Regulation to facilitate the exchange of personal data with other countries where adequacy decisions cannot be reached.
On 17 January, Theresa May indicated that Britain will leave the Single Market following the outcome of the referendum on the UK’s membership of the European Union. It remains to be seen how Brexit will impact upon the measures recently announced by the European Commission and their application in the UK. It would be prudent for organisations to monitor updates as Brexit discussions progress and consider how their operations may be impacted as the UK’s future relationship with the EU becomes more clear.