The flow of digital information within and between companies is growing. Successful dissemination of digital technology is vital for Europe’s economic recovery, job growth and competitiveness. The new data driven economy will have a huge impact not only on the ICT industry, but also on the “traditional” sectors. The combined total digital data value amounts to roughly 8% of the EU-27 GDP. Applying personal data could deliver a €330 billion annual economic benefit for organisations in Europe by 2020.
Last week in Strasbourg, the European Parliament’s Civil Liberties Committee (LIBE) held a vote on the long-awaited Data Protection Regulation. The draft EU General Data Protection Regulation was first unveiled 18 months ago and triggered intense lobbying, resulting in almost 4,000 proposed amendments. “It’s a win-win situation for European companies, for European citizens, for consumers of the digital market in Europe,” commented MEP Jan Philipp Albrecht, who is the lead parliamentary negotiator on the legislation. Unfortunately this is definitely not a win-win situation. Despite the fact that some of the original measures have now been watered down, some measures have gotten much tougher. With this draft, enterprises will face more difficulties in embracing the potential of the data-driven economy. The Regulation does not grasp the opportunity to enable the potential of the digital economy. In particular, the following three clauses will hinder growth and innovation.
The Regulation sets out that a company needs to be able to prove that the data subject has given ‘explicit consent’ to the processing operation. Obtaining the explicit consent from the consumers will create financial burdens. Studies have shown that the use of registration systems on websites that previously did not require registration have caused a dramatic decrease in users. Therefore, explicit consent may lead to a decrease in customers. Explicit consent could lead to consumers who simply consent to everything due to the many boxes they have to read through and tick. It is unlikely that consumers will be cautious before giving consent, as this is not the case in private policy agreements on websites. Research shows that most consumers don’t read website privacy policies and that if a consumer would read all the privacy policies he encounters on a daily basis, it would take him 250 working hours per year (or about 30 workdays). It is very plausible that consent can become meaningless if the boxes to tick on a website increase, because consumers tick boxes reflexively in order to proceed to the next webpage. This could affect consumers in a negative way if sensitive data is involved. As a consequence, they might lose trust in companies and this can lead to indirect costs for businesses. Therefore, explicit consent should depend on the sensitivity of the data or the risks associated with the processing.
Profiling will be limited to circumstances where the data subject has consented, when required by law or in pursuance of a contract. Research shows that profiling is an important tool for businesses, as it fosters innovation and is generally beneficial for customers. It enables companies to develop new products, and consumers benefit from it in the form of lower prices, time saved as well as new products and services. Consumers are not always aware of these benefits. Limiting companies in their profiling activities such as direct marketing activities, will create barriers for them. Data analysis techniques allow businesses to better understand what their customers like and want, enabling them to offer good customer service and to develop new or enhanced revenue streams. Companies that adopt decisions based on data analysis have higher productivity than companies who don’t. For example, firms like Food Lion, Subway and CKE Restaurants test many business ideas based on data analysis. This gives them knowledge of what is, or is not, likely to be a successful business innovation. Therefore, a restriction in profiling can lead to lost revenue due to a company’s inability to engage in targeted advertising and other direct marketing activities that require profiling.
Finally, it is shocking that the amount of administrative sanctions for non-compliance has been dramatically increased, from the Commission’s proposed 2% of annual worldwide turnover, to 5%, which could be hundreds of millions of dollars. These fines seem to have been designed with some internet giants in mind, like Google, but it is absolutely disproportionate for companies in the traditional sector. In addition, the draft Regulation does not differentiate between intentional and non-intentional data breaches. In the case that a company makes an error out of ignorance, and can prove that it was non-intentional, it is not fair to impose a fine. This could lead to unnecessary costs for companies which made a non-intentional error.
It can be concluded that the current draft Regulation will have a negative effect on businesses. It is very disappointing that the Parliament fails at strengthening the digital single market.