September 3, 2015
Could EU data protection rules ultimately thwart the Juncker Commission’s digital ambitions?
The Juncker Commission’s flagship Digital Single Market Strategy, in the words of former DG CONNECT Director-General Robert Madelin, is “focused, ambitious, and risk-taking”. Indeed senior European Commission officials will acknowledge that in implementing the DSM, the Commission is going to have to pick some big political fights.
One of the battles that it has opted to avoid, however, is with advocates of the proposed General Data Protection Regulation (GDPR).
Yet it is quite possible that the GDPR poses the single biggest threat to the realisation of the DSM. This blog post examines some of the key tensions and contradictions between the two.
Borderless mindset, data localisation
- The DSM explicitly endorses the borderless mindset that advocates of digitalisation insist is necessary. Borders, whether within Europe or between Europe and the rest of the world, are incompatible with the DSM vision. In this mindset, data localisation requirements are a no-no.
- By contrast, the GDPR is fundamentally pro-borders as a mechanism to protect personal data. The most important border is the external border of the EU with the outside world, inherited from the 1995 Directive, which bans the export of personal data from the EU, subject to certain exceptions. Other jurisdictions regard this, rightly or wrongly, as one big data localisation requirement.
Online vs. Offline
- The DSM strategy seeks to help the digital part of the single market catch up with the offline world by targeting “barriers that do not exist in the physical Single Market”.
- The GDPR goes in the opposite direction by specifically targeting the online world. If this were not clear from the texts on the table (notably on the right to be forgotten, data portability, and the definition of personal data itself), it is certainly clear from the rhetoric, which is focused on the challenge of dealing with big multinational (mainly American) Internet companies. The impact of these online-focused provisions on the offline world has not been systematically assessed.
Power of major US platforms
- The DSM acknowledges the challenge posed by American leadership of many parts of the digital space and responds with a high level of ambition for European competitors – the politics of hope.
- The GDPR, on the other hand, expresses the politics of despair and proposes rules that are designed to slow down big US players rather than empower their European competitors. For example, forcing the broad use of explicit consent would help cement the positions of the market players with the largest numbers of registered users.
- The DSM seeks to harmonise, and indicates a wide range of proposals that will make rules more consistent across Europe
- The GDPR pays lip service to harmonisation – notably in that it is a Regulation and not a Directive – but in reality is likely to decisively prevent harmonisation. This is the case for provisions relating to the “one-stop-shop”, to codes of conduct, to broad exemptions for the public sector and employment law, and a range of other areas where the secondary policy will have to be made by the Commission, data protection authorities, or other bodies.
Big Data and the Internet of Things
- The DSM acknowledges the fundamental economic and social importance of cloud computing, big data, and the Internet of Things, and aims to stimulate investments in these to make Europe a global leader.
- On the other hand, the GDPR views big data as a risk. Provisions on profiling seek to establish the principle of individual control over the public good, and the purpose limitation principle seems likely to be worded in such a way that makes it impossible to use existing data to address problems that were not envisaged at the time of collection, without asking every individual for explicit permission.
- The DSM aims to sweep away a range of barriers to investment in innovation in Europe, notably by focusing on ownership, interoperability, usability, and access to data.
- The GDPR views innovation with suspicion. The European Parliament is proposing to restrict the use of one of the key legal bases (Article 6.1.f) such that it can only be used if it meets the “reasonable expectations” of the data subject. What is innovation if not unexpected?
Illegal Content & Cybersecurity
- The DSM seeks to promote a more effective fight against illegal content and cybersecurity threats by examining what actions can be taken by digital market actors.
- Simultaneously, the GDPR seems likely to restrict the legal bases available for industry to take such actions (notably Article 6.1.f).
- The DSM seeks to encourage public authorities to make the citizen-consumer’s experience easier by doing more data processing and exchange in the back-office. The idea is that once the authorities have your data, the citizen-consumer does not need to provide it again in order to obtain a new public service.
- Bu the GDPR obliges data controllers to seek permission anytime they process data for something other than the original purpose. The fact that an insertion is needed in the DSM clarifying that Once-Only must be done in compliance with data protection legislation strongly implies that the drafters were aware of this conflict or tension.
- The DSM clearly states the ambition of bringing legal certainty as to the allocation of liability relating to the processing of data. Indeed it explicitly acknowledges the role of the liability regime in the e-Commerce Directive in underpinning the growth of the Internet.
- The drafters of the DSM understood the tension with the GDPR- why else would the ambition be qualified by reference to personal data: “Legal certainty as to the allocation of liability (other than personal data related) is important for the roll-out of the Internet of Things.” Is liability related to personal data not important for the Internet of Things?
- The DSM shows a clear understanding of the skills gap in Europe with regard to the ICT, and promises to address this.
- By dramatically increasing the administrative burden on companies and requiring the appointment of data protection officers, the GDPR will create massive demand for data protection professionals, especially lawyers. Neither the DSM nor GDPR seem to acknowledge this particular skills gap.
It’s not hard to see why this combination of differences in the underlying principles and the practical implementation would create, to put it mildly, significant friction for the realisation of the Juncker Commission’s ambitious DSM vision. Clearly, taking on the defenders of the text of the Commission’s GDPR proposal would be a big political risk. The question is whether the Juncker Commission will conclude that the risk of seeing DSM fail because of the GDPR is bigger.
 See http://www.euractiv.com/sections/innovation-industry/madelin-i-have-been-appointed-job-be-creative-317192 “What distinguished the Digital Single Market from the Digital Agenda for Europe is that it is very focussed and much more ambitious.
Between 2010 and 2015 we cleared the ground, we laid the foundations, with 138 actions. Strategically, Juncker went from having the strong vertical approach under Neelie Kroes to having a sort of T-shaped digital policy, which is more mainstreamed, with more focus and more risk-taking.
The 16 actions under the DSM are almost all in areas where there is real political judgement to be exercised about what the market will bear in terms of the speed of change.”
 See text of Juncker Commision Priority no 2 A Connected Digital Single Market. “We can create a fair level playing field where all companies offering their goods or services in the European Union are subject to the same data protection and consumer rules, regardless of where there server is based.”
 See DSM Strategy p.3
 See section 4.3.2 of the DSM Strategy on e-governmentChris Sherwood