The European Commission (EC) recently announced the final packages to be adopted under its Digital Single Market strategy: an initiative on the data economy and proposals for the review of the e-Privacy Directive and the protection of personal data.
The Digital Single Market strategy aims to tackle restrictions on the free movement of data for reasons other than the protection of personal data. The initiatives announced by the European Commission (EC) are intended to remove the remaining barriers to the free movement of databin the single market.
The EC’s initiative aims to enhance Europe’s data economy by dealing with unjustified restrictions on the free movement of data across European borders and clarifying a number of legal uncertainties.
Data localisation restrictions prevent the flow of certain data across borders in the single market, stating that such data must be stored and processed in the relevant state.
These restrictions may apply to privately held data, such as accounting documents, tax records or company records. They may also apply to government and public sector data, such as judicial records and national registries.
The EC hopes providers and users of data-driven services, such as cloud computing, will benefit from a single market that does not unnecessarily restrict the flow of data across borders.
The EC will hold discussions with member states and other stakeholders on the proportionality of data localisation restrictions to gather evidence on the nature of such restrictions and their impact on businesses and public sector organisations.
It will also launch enforcement actions and take further initiatives if necessary to address unjustified or disproportionate restrictions on data localisation.
The EC has identified a number of legal uncertainties arising from emerging issues in the data economy. It has launched consultations seeking policy and legal responses on the following issues:
- Data access and transfer: wide use of non-personal machine-generated data can lead to great innovations, startups and new business models born in the Euroepean Union (EU).
- Liability related to data-based products and services: the current EU liability rules are not adapted to today’s digital, data-driven products and services.
- Data portability. Portability of non-personal data is currently complicated – for example, when a business wants to move large amounts of company data from one cloud service provider to another.
Data protection and e-Privacy
The EC has proposed an update to the e-Privacy Directive, which aims to amend the current rules to extend their scope to all electronic communication providers.
The update also aims to “create possibilities to process communication data and to reinforce trust and security in the Digital Single Market”, as well as align the rules for electronic communications with the newer and more stringent rules set out in the General Data Protection Regulation (GDPR).
The proposed rules have a number of key features, including expanding the coverage of the directive from traditional telecoms operators to new providers of electronic communications services, such as WhatsApp, Facebook Messenger, Skye and Gmail.
The e-Privacy Directive will also be updated with directly applicable regulation, meaning all EU citizens and businesses will enjoy the same level of protection.
Privacy will be guaranteed for both content and metadata derived from electronic communications, which will need to be anonymised or deleted if users have not given their consent, unless the data is required for legitimate purposes.
Once consent is given for communications data to be processed, traditional telecoms operators will have more opportunities to use data and provide additional services.
The so called cookie provision, which has resulted in an overload of consent requests for internet users, will be streamlined. The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience.
The proposal also bans unsolicited electronic communication by any means – for example, by emails, SMS and automated phone calls – unless users have given their consent.
In principle, this will also apply to marketing phone calls unless a member state opts for a system that gives consumers the right to object to the reception of voice-to-voice marketing calls. Marketing callers will need to display their phone number or use a special pre-fix that indicates a marketing call.
National data protection authorities, such as the Information Commissioner’s Office (ICO) in the UK, will be responsible for enforcement of the confidentiality rules in the regulation.
The proposals set out a strategic approach to the issue of international personal data transfers to facilitate commercial exchanges, promote co-operation between law enforcement agencies and ensure a high standard of data protection.
The EC intends to discuss reaching “adequacy decisions” with key trading partners around the world, starting with Japan and South Korea in 2017, allowing the free flow of personal data to countries with equivalent data protection rules to the EU.
The EC will also make use of the alternative mechanisms allowed under the GDPR to facilitate the exchange of personal data with other countries where adequacy decisions cannot be reached.
On 17 January 2017, prime minister Theresa May indicated that Britain will leave the single market following the outcome of the referendum on the UK’s membership of the European Union.
It remains to be seen how Brexit will affect the measures recently announced by the European Commission and their application in the UK. It would be prudent for organisations to monitor updates as Brexit discussions progress and consider how their operations may be affected as the UK’s future relationship with the EU becomes more clear.