Bursting the Bubble

Data Protection: good for citizens but bad for business?

29 March 2013 | by

The future for data protection in Europe has finally arrived in the form of an EU Data Protection Regulation. Taking the stage after being leaked onto the virtual world, the new law will modernise the EU Data Protection Directive of 1995 in the form of a directly applicable Regulation. The European Commission presented this proposal in January 2012 and it is a good initiative for the digital world we’re living in, where we rely on a continuous connection to the Internet. The Commission stated that this reform will help companies get the most out of the Digital Single Market and that it will foster economic growth, innovation and job creation. However, questions arise when we think about how realistic these ambitious perspectives are.

The proposal has several provisions to strengthen citizens’ rights. One important new rule is “the right to data portability”. This gives consumers the ability to transfer their personal data from one service provider to another more easily, which means that you can download all the data that a company, for example Facebook, has about you. Another important clause is the “right to be forgotten”, which allows you to demand organisations to delete your data if there are no legitimate grounds for retaining it. So, it will definitely strengthen the rights of citizens of having their data protected. But what will the new legislation mean for European businesses? One of the Commissions objectives is “eliminating unnecessary costs and reducing administrative burdens for businesses”. However, compliance with the new regulation will impose a number of costs on businesses. The Commission proposal is overly prescriptive and detailed in a way that creates more administrative burdens and compliance costs for companies without a proportionate privacy benefit. In this way, it discourages digital innovation and competitiveness.

First of all, firms will have the obligation to carry out an impact assessment (DPIA), which can be very costly. For example, the regulation obliges a mandatory impact assessment where processing operations represent specific risk. Such an assessment could only be useful where organisations have the flexibility to tailor the assessment to their organisations’ processes. Secondly, companies will be obliged to maintain documentation of all processing operations, which will create substantial costs with no commensurate benefit. Instead of creating more paperwork, the Commission should focus on creating added value and jobs. Thirdly, firms will have to appoint a data protection Officer (DPO). This obligation will apply to firms with 250 or more employees and firms whose core activity is the monitoring of citizens. Another major challenge is the obligation to notify the supervisory bodies about data breaches within 24 hours. Firms who fail to comply with this notification risk fines of 1% of their global annual turnover, which is an extremely high figure. In addition, companies will have to develop new data management systems and procedures for data protection.

It also might be difficult for companies to comply with the “right to be forgotten”. Deleting certain data could damage other data. In practical terms it is difficult to go into a vast store of data and delete them in a granular way without damaging other data. Today, information is not simply held in a series of emails or a recording of a phone call, but in a structured database, which makes it very hard to ensure complete deletion. A corporate archive might be in a format that cannot be edited.

The current situation is that more than 3000 amendments have been tabled to the proposed legislation. As a result, the rapporteur Jan Albrecht (Greens-EFA, Germany) decided to postpone the vote in the EP Committee on Civil Liberties (LIBE) from April to the 29th/30th May.

Personally, I welcome the Commission’s initiative. I want to have the possibility to remove my information from, for example, Facebook and at the same time be sure that my information isn’t “flowing somewhere”. However, I do have doubts whether this reform will lead to the economic and employment boost that the Commission has thus far promised.


  1. This is a very interesting topic; as the digital world is growing faster every day the need to protect citizen’s privacy becomes more important. From the perspective of a citizen I also applaud the initiative. However I do believe that no unnecessary burden should be put on companies. In the current proposal it seems that businesses will be confronted with substantial costs to comply. I also question the Commission’s statement concerning job creation. If a company is confronted with an increase in costs without any perspective on additional earnings, this usually has a negative effect on employment. On what is this ambitious statement of the Commission based? On the obligatory appointment of a data protection officer? Maybe this requirement will only increase the workload of employees of the company as the will have to take on supplementary tasks.

  2. I do agree with the author’s perspective that it is very welcome for citizens to have a certain regulation installed to protect people from data misuse. However, I do have my doubts about the practical realization of such a law. The use and misuse of data and therefore the necessary protection of it can only be implemented in an area that is intransparant for many. The appointment of a data protection officer is in my opinion a good idea. It is a very grey area nonetheless. Should businesses be burdened by this in times where economic activity should be stimulated? Or should one focus on recovery of the economic sector before adressing this topic? The fact that there are 3000 amendments tabled points out that there is still a long way to go. I would think that it might be good idea to implemenent a less demanding version of the regulation that could be adapted step by step.

  3. We should weigh the economic benefits from free access to data to the benefits of cyber security. The latter term is closely linked to privacy but not exactly the same. Cyber security concerns the protection of the individual against physical, mental or financial harm.
    The assessment is mainly based on how big the threat is for misuse of criminal nature. So there I am talking about malafide practices of data, which can actually harm the citizen physically, mentally or financially. I understand this regulation can be harmful for companies, but does that weigh up to the current (criminal) activities that harm the European citizen?
    It is a fairy tale that data can be protected completely against cyber criminality. If people really want to get into a certain database they will very likely be able to. Moreover, cybercrime is pandemic and growing faster every day. Just a popular example, how many cyber attacks have happened in the last month? If we don’t penalize malafide online practices well, we overlook the importance the internet plays in our lives.
    To answer the question whether the data protection directive is assessing the economic benefits vs cyber security well, I would say ‘yes, but it could be better’. The personal safety of the citizen is more important than the short term benefits of companies. Even in a time of economic downturn….

  4. Arguments about databases being in an uneditable format simply don’t wash, they are just more excuses.

    Citizen’s privacy and personal data is already treated recklessly in many quarters. Telephone Operators for example are quick to flout the rules and then point out that they have a loop hole in the old regulations that allowed them to abuse my personal data in the past in precisely the way the Data Protection Acts and Directives were intended to prevent. Facebook and others have already admitted that even if an individual demanded their right to delete all date, not all data would be deleted and the individual has no way of knowing or tracking, mainly because Facebook and other similar countries don’t reveal its existence or nature. Google even legally contracts to retain copyright over private persons information and data even after deleted from their profiles. After logging in with a new device, I was automatically downloaded a whole pile of personal data from their servers that I had specifically deleted over a year beforehand!

    Extra costs for larger firms yes, but they also gain considerable economic benefit from use of our data.

    The practicalities of tracking and deleting unwanted data are certainly a problem, particularly where Interconnectivity between databases is concerned,
    but only because no one has been forced to take this into account in the design of these systems in the first place.

    Big Business won’t comply unless the sanctions are comensurate with the profit derived from use of this data. The Americans already flout our laws in anyway they can, In respect to data protection laws they bypass them completely where cloud services are concerned, because the applicable national laws are based on the location of the servers. In respect to foreign companies that don’t have the same legal and moral obligations, European firms may well be put at a disadvantage unless these discrepencies can be equalised somehow. Other security services also exploit loopholes in the laws almost willy nilly and function creep is regularly observable if not systematic these days. None of them can reliably protect their data from abuse by corrupt employees or even from external hackers. If it is connected to the internet, it is highly vulnerable.

    Many of the benefits are indirect in respect to competitive advantage through economies of scale and general resources, not just over ‘foreign’ companies, but also over smaller local firms who might become more competitive if the big boys costs increase and hence have a better chance of getting up and running. Small businesses account for 80% of GDP so employment may well be boosted in a backhanded fashion.

    To avoid dealing with these issues just because their is economic downturn is understably politically attractive and tempting, but a very short term outlook. Short-termism is one of the greatest diseases in the western world that often proves our undoing when competing with our Eastern bretheren. If we do not act in a timely fashion, it will all get so far out of hand it becomes an even bigger trauma and expense to reign it back in, if possible at all – note the current ‘its too difficult / in an uneditable format’ objections already being voiced.

    Function Creep is a systematic process and policy that succeeeds precisely because of public, political and legislative apathy and lethargy. Once established, it is disproportionately harder to destablish or otherwise correct.

    • Farah Coppola

      Dear Jun,

      Thank you for your comment.

      I agree that citizen’s privacy and personal data needs to be protected and that the current rules are outdated. However, the point here is that the new rules that the Commission is proposing are too prescriptive and detailed in a way that creates more administrative burden and costs for companies without a proportionate privacy benefit for consumers.

      It is true that firms gain economic benefit from the use of data. But so do citizens. Today, a lot of people don’t see that the use of personal data is not a negative measure per se. Personal data enables businesses to better understand what their customers like, and want, to serve them more efficiently and to develop new and enhanced revenue streams. The benefits they achieve are passed down to consumers, as well, in the form of lower prices, time savings or new and valuable services. It also protects citizens from fraud. For example, personal data can help to detect tax fraud, by analysing bank records and credit card statements and comparing it with disclosed information. In Italy – which loses an estimated €120 billion each year to tax evasion – a system called “Redditometro” analyses some 100 indicators of a citizen‘s lifestyle, including gym membership and private school tuition to optimise tax audits. In 2011 alone, €11.5 billion was recovered. Disproportionate limitations on profiling would therefore harm the functioning of entire sectors and could ultimately have a negative impact for consumers.

      We all want economic growth for the EU. The value created through digital identity can be massive. The combined total digital identity value could amount to roughly 8% of the EU-27 GDP. At a 22% annual growth rate, applying personal data can deliver a €330 billion annual economic benefit for organisations in Europe by 2020. Individuals will benefit to an even greater degree, as the consumer value will be more than twice as large: €670 billion by 2020, mainly stemming from reduced prices (passed on by companies seeing data-driven cost savings), the time savings that self-service transactions will bring and the high value individuals place on free online services, supported at least in part by the use of personal data.

      I do not see your point on how the Regulation will be beneficial for smaller local firms since the the rules will also apply to them. The new Regulation will not only bring costs to large firms that you mentioned. More than 99% of all European businesses are SMEs and it will especially be difficult for SMEs to comply with the new rules, given that SMEs increasingly rely on online advertising to drive revenue growth.

      I also agree that enforcement is essential and that there should be sanctions, but the proposed sanctions are excessive and disproportionate. I believe, particularly in cases of first and non-intentional non-compliance, a warning procedure as well as pre-requisites for renouncing from inflicting sanctions should be considered. Besides, when the new data protection rules come into force, there is a fair chance that most SMEs will not be aware of how to apply them. We should not punish companies for failing to understand complex legislation, but help them and give warnings before imposing fines.

      Looking at the future economic value that can be created by the use of data is not a short-term outlook to me. Digital identity is relevant to the economy as a whole. That means, also for citizens like you and me.

Leave a Reply to Jun Karian Cancel reply