March 11, 2014
This week, the European Parliament will almost certainly adopt a resolution calling for amendments to the draft EU Data Protection Regulation. This legislative process has taken an unusually long time – and rightly so, because the topic is complex and technical, and because the stakes are very high. Every single company in Europe is affected, because they all deal with either employee data, customer data, or more likely, both. Rules on how this is done are self-evidently fundamental to how the European economy works, at a very organic level.
As I said a few months ago, I think good progress is being made on a number of key aspects of the law. In particular, the European Parliament is taking a very welcome and practical line on the most fundamental aspect of the legislation – the definition of what constitutes personal data. We are at least going to be building on a strong foundation.
However, the Parliament is about to miss a valuable opportunity to ensure that the legislation is truly modern and world-leading. We are talking about the difference between a crumbling 1960s apartment block (nevertheless built on strong foundations) and an earthquake-proof, carbon-neutral, Internet-enabled home for the 21st century.
On fundamental structural aspects of the text, such as the limited set of legal bases companies can use to process data, the Parliament proposal falls well short of being workable. This is the case, for example, for the “consent” legal basis, where the Parliament has accepted the Commission’s simplistic and unsophisticated view that one size (“explicit consent”) really fits all. We know from practical reality that such a rigid approach will result in perverse privacy effects.
Another is the issue of “profiling”. As defined in the text, profiling is synonymous with any kind of data crunching that is designed to help a company customise its services. Since this is fundamental to any business, this means a vast volume of activity will be covered. If, as Parliament will propose, all profiling is subject at minimum to an opt-out, European businesses will find it extremely costly to implement systems and processes for such an opt out to be exercised, even in the vast majority of circumstances where it is completely unnecessary (imagine what your butcher would have to do if you ask him not to keep a record of what meat you buy so that he can serve you better).
European elections loom, and the next Parliament may take a different approach. But it is disappointing that this one has failed to do what it can to protect privacy and support the economy by cutting red tape.
You can also read this post on the Allegro Group blog site.