epp group position paper on data protection

on Data ProtectionEPP Group Position Paper

EN

EPP Group Position Paperon Data Pro te c ti on

on Data ProtectionEPP Group Position Paper

3EPP Group Position Paperon Data Pro te c ti on

Table of Contents

EPP Group Key Priorities on Data Protection 5

1. The EPP Group stands fo strong data protection safeguards for EU citizens 7

2. The data protection regime should not put excessive burdens on European SMEs and start-ups 11

3. A sound data protection regime should enhance EU companies competitiveness 13

4. The data protection regime must be future-proof for new technological developments, such as Big Data 15

5. The data protection regime in the law enforcement sector should be tailor-made to its particularities 17

6. The data protection regime in transatlantic flows: Safe Harbour and EU-US umbrella agreement 19


EPP Group Key Priorities on Data Protection

Digitalisation is changing our lives faster than any other technical revolution has done

before. It affects our social and working life, our communication, competitiveness, property

rights, fundamental rights and privacy. EU citizens are sharing their data more and more

in every aspect of their lives. Consumers are using all the technical devices, free services

andapplications provided by companies. Data is a new currency.

By fully harmonising 28 data protection regimes, the proposed Data Protection Regulation

will bring increased legal certainty and would mark an improvement for businesses and

consumers.

EU Ministers have reached an agreement on a number of critical provisions in the proposed

regulation.

However, further work remains to achieve a more balanced and clear legislative framework

that can effectively address the challenges presented by new technologies.

The EPP Group seeks to deliver robust data protection for EU citizens, legal certainty

and trust for companies, and aims to enhance the EUs competitiveness.


> Privacy and data protection are fundamental rights for our citizens.

> Robust data protection requires a combination of consumer law, competition law, privacy by design, privacy by default, software and technology solutions.

> Data protection legislation should address and establish rules for all stages of data processing: collection, using, processing data collected, sharing of data and processing of data already used.

> The EPP Group supports consumer-centric legislation that would empower consumers more strongly: every EU citizen must enjoy the right to access, correct and object to their data processing free of charge.

> Consent should be given in compliance with the fundamental right to data protection, but reality shows citizens consenting improvidently and this is at least undermining their fundamental right. The degree of explicitness of the data subjects consent should be defined according to each situation.

> Excessive or unclear information can lead to no information at all. Lengthy andunclear information discourages consumers from reading it and leads to e ven g reater automatic granted consent. Therefore current provisions should be adjusted to make sure that information provided to users is clear, understandable and not unnecessarily excessive. Information provided to children especially should be clear and child friendly.

> Failure to adopt appropriate data security measures should be strictly assessed and sanctioned. In cases of serious data breaches, businesses and organisations have to inform the individual if he or she was adversely affected.

> The EPP Group highlights the importance of improving the means of ensuring the right to be forgotten and therefore the deletion of data wherever it is legally required. In this regard, special attention must be given to other fundamental rights, such as the freedom of press.

> Profiling should be clearly defined and legally sound to avoid misunderstanding about what

1. The EPP Group stands fo strong

data protection safeguards for EU citizens


it really means; and citizens rights must be fully preserved. Profiling on children should be prohibited.

> Protection should be ensured in particular for the youngest Internet users by introducing effective mechanisms verifying age, age-appropriate default privacy settings and specific safeguards for online advertising.

> The safe transfer of data to third countries should be better defined.

> Particular attention should be drawn to the handling of personal data in connection with mergers and acquisitions. The EPP Group stresses the importance for both the purchaser and the target of ensuring that the transfer of personal data is consistent with written commitments and obligations that were made to the different categories of data subjects. If not, appropriate consent be obtained.

> The Data Protection Regulation should be adopted as soon as possible: the protection of our citizens data cannot wait. An implementation plan involving all stakeholders should be prepared to allow for efficient and harmonised application of the provisions adopted.

11


> The SME sector accounts for over 99.8% of European businesses.

> SMEs will have to face disproportionate and costly obligations, such as the preparation of extensive documentation, the requirement to appoint a data protection officer, limiting the scope of information requested, performing and updating risk assessments.

> Additional costs created by administrative burdens and legal uncertainty will have less impact on global tech giants that can develop products and services for their home market in a much less (or non-) regulated way and then deploy these in Europe. Small European innovators and start-ups cannot afford that kind of administrative burden and risk being overwhelmed by global competitors. SMEs are the backbone of the EU economy. In order to free them from reporting obligations, the Commissions original text scrapped this red tape. Eliminating red tape has to be pursued in trilogues to help SMEs and start-ups to utilise the full potential of the Digital Single Market.

> The EPP Group calls for a tailor-made regime for SMEs with clear derogations

(no data protection officer) and a cut in red tape (eliminating excessive documentation, limiting the scope of information requested and no risk assessments required). For that purpose the EPP Group calls for an impact assessment of those provisions on EU SMEs and start-ups.

> By setting one rule instead of 28, the data protection reform lays the foundations of a true Digital Single Market but the EPP Group believes that further improvements are needed in reducing administrative burdens to avoid more red tape for SMEs and start-ups. We consider that certain provisions need to be adjusted to better take into consideration the scale and the nature of the data processed.

> The EPP Group supports the introduction of a risk-based approach which will allow tailored obligations depending on the level ofrisk of the processed data.

> The EPP Group believes that the focus should be on the principle of responsibility and accountability to ensure proper enforcement of individuals rights rather than excessive and prescriptive ex-ante obligations.

2. The data protection regime should not put excessive burdens on European SMEs and start-ups

13


> Customer data has become a key driver for competitiveness, so it is essential that Europe gets data protection right by striking a balance between the protection of the individuals personal data and the needs of European businesses. The digital economys dynamic is built on trust. Therefore restoring consumer trust in data protection and security is crucial for the economy.

> EU legislation cannot be focused on a defensive approach towards global tech giants while ignoring the competitiveness of EU digital industries. The reform should be an opportunity to position Europe as an exporter of Internet services.

> For a strong European digital economy to compete globally we need a level playing field. Therefore non-European companies, when offering services to EU citizens, will have to apply the same rules and adhere to thesame levels of protection of personal data as European companies do.

> The One-Stop-Shop mechanism, a tool meant to reduce EU companies administrative burdens, has been substantially distorted in

the Council position and will add unnecessary bureaucracy for EU industries. Further negotiations must ensure that red tape is cutback.

> The administrative burden has to be better concentrated on what is necessary to counterbalance the risk to the individual in the data processing (risk-based approach). The EPP Group is in favour of a better differentiation for small, medium and large-sized enterprises in relation to the risk of the data processed to the explicit business.

> Stresses the concept of the further processing of data, which is important for the competitiveness of EU companies if clearly defined.

> Notified and controlled self-regulation tools and the option of binding corporate rules and codes of conduct should be in place

> Companies that do not comply with EU rules must be sanctioned accordingly.

3. A sound data protection regime should enhance EU companies competitiveness

15


> Future-proof data protection rules should support the development of new services in Europe, especially against the backdrop of the fast-growing Internet of Things. Big Data ultimately raises privacy issues and should therefore comply with the data protection regime.

> Big Data has great potential benefits for citizens and for industry, raising the prospect of facilitating new developments in the knowledge economy. Privacy rules must be seen as a tool for helping to achieve success, by attracting consumers concerned about theprivacy and security of their data.

> To ensure a high level of data protection, but at the same time allow businesses to develop and grow, tools like the pseudonymisation of data should be further developed. We should help those business models that combine innovation with basic data protection rules to find their place in our Digital Single Market.

> The current reform must fit this, to balance the rights of data subjects with legitimate business interests when it comes to purpose limitation, data minimisation, detailed profiling and extended identification. This means moving away from some concepts that the current European Parliament and Council texts cling to.

4. The data protection regime

must be future-proof for new technological developments, such as Big Data

17


> The EPP Group welcomes the fact that the European Commission proposed a Directive on Data Protection in the law enforcement sector as part of the reform package, recognising the need for creating specific rules for data processing in this context.

> It must be acknowledged that security-related personal data processing presents a series of characteristics that make specialised data protection rules necessary.

> The Directive must guarantee that a high level of data protection exists across all law enforcement bodies in the EU, but it must also respond to the specific nature of police and judicial activities.

> Law enforcement authorities should be given the necessary flexibility and legal tools to fight crime and should closely cooperate with industry

> The EPP Group is convinced that the Data Protection Directive as adopted by the European Parliament must be reviewed in its scope - on access for the data subject to their data, prior consultation of supervisory authorities, notification of data breaches and designation of a data protection officer - as

the EPP Group can only agree to a text that is realistic and enforceable by the competent authorities in the Member States.

> The EPP Group strongly supports the Directive being adopted jointly with the Regulation (Package approach). However, slow progress in the Council on the Directive should not hamper the swift adoption of theRegulation.

> Cybersecurity constitutes a major challenge for the EU, given the alarming level of threats. Cyberspace is increasingly becoming a facilitator for organised crime in all its forms and constitutes a severe threat to businesses in the EU - but also to citizens, including their everyday consumer transactions. The EPP Group therefore calls for the swift adoption of the Network and Information Security Directive, to raise cooperation between Member States to a meaningful level and increase the resilience and preparedness of the infrastructure and sectors critical to the EU economy and society and necessary for a functioning Single Market. Responding to those challenges necessarily implicates privacy and data security policies.


in the law enforcement sector should be tailor-made to its particularities


19

> While important progress on both files has been achieved and while due note is taken of recent positive developments in the US administration and the US Congress, outstanding issues remain. The EPP Group is convinced that an ambitious and upward-looking dialogue on common standards and rules for data protection and privacy in the EU and the USA is crucial in a digitalised anddata-driven global economy.

> It is of the utmost importance to conclude the EU-US umbrella agreement as soon as possible. This agreement would facilitate data transfer in the context of law enforcement, while providing EU citizens with further safeguards, in particular if the Judicial Redress Bill is adopted by Congress.

> The Safe Harbour decision, dating from 26 July 2000, needed to be revised and the EPP Group welcomes the improvements proposed by the EC.

> These negotiations should ultimately aim at providing clear added value for EU citizens by guaranteeing the same level of protection for EU citizens that Americans enjoy in the US and a level playing field for EU companies.

The EPP Group therefore encourages the European Commission to further pursue its efforts in achieving these goals in the upcoming negotiations. In the meantime the EPP Group will further reflect on alternatives solutions, such as the market location principle. However, should the Commission not be successful in stepping up the Safe Harbour decision by providing strong added value for EU citizens, the EPP Group would call for itsimmediate suspension.


in transatlantic flows: Safe Harbour and EU-US umbrella agreement

Follow us

Published by: EPP Group in the European Parliament Press and Communications Service Publications Team

Editor: Pedro Lpez de Pablo

Responsible: Greet Gysen

Coordinator: Daniela Bhrig

Revision: Mark Dunne

Address: European Parliament, 60 Rue Wiertz, B-1047 - Brussels

Internet: wwweppgroupeu

E-mail: epp-publications@epeuropaeu

Copyright: EPP Group in the European Parliament

No

vemb

er 20

15

EPP Key Priorities on Data Protection1.The EPP Group stands fo strong Data Protection safeguards for EU citizens2.The Data Protection regime should not put excessive burdens onEuropean SMEs and start-ups3.A sound date protection regime should enhance EU companies competitiveness4.The Data Protection regime must be future-proof for new technological developments, such as Big Data5.The Data Protection regime in the law enforcementsector should be tailor-made to its particularities6.The Data Protection regime in transatlantic flows: Safe Harbour and EU-US umbrella agreement

epp group position paper on data protection

Documents