VON Europe

Comments on the Commission’s Data Protection Communication

Comments on the Commission’s Data Protection Communication

by VON Europe, January 2011

The Voice on the Net Coalition Europe (‘VON’) welcomes the opportunity to comment on the European
Commission’s Draft Communication on a Comprehensive Approach to Data Protection in the EU (hereafter
‘the Draft Communication’).
VON considers that the Data Protection Directive (Directive 95/46) must broadly remain as it
stands, but the leeway for diverging interpretations by Member States and contradictory
sector-specific measures should be minimised by the European Commission through additional
guidance.

Our key comments can be summarized as follows:

 Technology neutrality must be the cornerstone of the approach to privacy in the future, for that
approach to be efficient in a coherent manner;

 The key principles of Directive 95/46 are sound and the focus should be on issuing additional guidance
that (1) ensures a more harmonise implementation (2) focuses the attention on effective enforcement
by DPAs and (3) clarifies some key concepts.
 As regards the definition of personal data, it is important to focus on the probability of linkability to
personal data or to other data that will result in the creation of personal data rather than on the mere
possibility of linkability
 We have strong reservations as regards the introduction of an unlimited “right to be forgotten” that
goes beyond the provisions on data retention and the right to object to the processing of personal data,
and which could create false expectations amongst consumers whilst setting a threshold for online
players that is simply impossible to meet.
 Online intermediaries when acting as controllers should be subject to the same liability limitations in the
area of privacy and data protection than those outlined for cases of copyright and defamation in the
eCommerce Directive.

 The Communication provides some thoughtful guidance as to the role of transparency and user control,
two elements that should directly inspire what the EU ought to understand under “’informed consent”.

 In order to foster a real single market approach, the Commission should provide additional guidance in
order to make the list in Article 19(1) of information to be provided exhaustive, and to allow a data
controller to register in one Member State (the country where the data controller has its main
establishment in the EU) and consider this registration sufficient to comply with the requirements of
Article 18 across the European Union.
 VON considers that the Commission must remain central in the interpretation of privacy rules and must
ensure that the Article 29 Committee has a formal obligation to pro-actively consult with interested
parties on issues which are to be the subject of an opinion, and to take into account the feedback
received.

1
 VON Europe
Comments on the Commission’s Data Protection Communication

More details can be found in VON’s responses below.

1. NEW CHALLENGES FOR THE PROTECTION OF PERSONAL DATA

 Addressing the impact of new technologies

 Enhancing the internal market dimension of data protection
 Addressing globalisation and improving international data transfers
 Providing a stronger institutional arrangement for the effective enforcement of data protection rules
 Improving the coherence of the data protection legal framework

Privacy is a fundamental right that should apply equally regardless of the environment or ecosystem at
stake. Reading through the Commission’s Draft Communication, one cannot help but notice that greater
emphasis is given to online developments. This could create a risk that privacy rules in the overarching Data
Protection Directive (by opposition to the ePrivacy Directive which is meant to specifically address the
electronic communications sector) are created specifically for the online environment, with the risk that
some of the adopted principles in the online world are asymmetric to what happens in the offline world.
Surely the purpose of the Commission is to create an environment that preserves individuals’ privacy in
equal measure in all circumstances and that sets rules in place that “make sense” in all circumstances?

Let’s look at an example to illustrate our point: if a salesperson in a store keeps an eye on a client while
he/she goes through the merchandise and then approaches that client to suggest an alternative sweater,
how will this “tracking” be addressed? Should that store warn clients that that salesperson is doing this?
And maybe allow the client to claim his or her right to be forgotten by that salesperson?
Technological neutrality is particularly important in an ecosystem where the offline and the online world
converge naturally, as is the case for instance, with transactions between business and individuals that are
initiated online but completed through the actual delivery of the service or product offline.

VON Europe therefore strongly believes that technology neutrality must be the cornerstone of the
approach to privacy in the future, for that approach to be efficient in a coherent manner.

VON considers that many of the identified challenges by the Commission and stakeholders relate more
to:
1. a non-harmonised implementation of Directive 95/46 which could be solved in part by issuing
additional guidance;
2. a lack of effective enforcement by DPAs due to insufficient resources or an inappropriate focus
on paperwork (due to the administrative paper mill created by the notification procedure for
everyone involved, i.e. industry and DPAs) over field work (combatting breaches and behaviour
that cause harm to individuals);
3. a lack of clarity surrounding key concepts such as the definitions included in Directive 95/46.
VON therefore urges the Commission to focus its approach on these matters before considering a major
overhaul of the introduction of new concepts.

2
 VON Europe
Comments on the Commission’s Data Protection Communication

2. KEY OBJECTIVES OF THE COMPREHENSIVE APPROACH ON DATA PROTECTION

2.1. Strengthening individuals' rights

2.1.1. Ensuring appropriate protection for individuals in all circumstances (impact of new technologies and
free circulation)
2.1.2. Increasing transparency for data subjects (notices and data breach)
2.1.3. Enhancing control over one's own data (data minimisation, modalities for access, rectification,
erasure and blocking, right to be forgotten and data portability)
2.1.4. Raising awareness (co-financing and possible obligation to carry out awareness raising activities)
2.1.5. Ensuring informed and free consent
2.1.6. Protecting sensitive data (new categories such as genetic data and harmonisation)
2.1.7. Making remedies and sanctions more effective (class action and stronger sanctions)

VON Europe welcomes the fact that the Draft Communication does recognise the fact that Directive
95/46 is first and foremost a single market instrument aimed at facilitating the cross-border flow of
personal data.

However, as indicated in our opening statements, the Directive has failed partially in that regards, due to
incoherent implementation by Member States and the lack of clarity as regards certain key concepts.

For example, Section V of Directive 95/46 gives data subjects the right of access (section 2.1.3 of the Draft
Communication) to their personal data retained by a data controller. More specifically, Article 12 provides
data subjects with a broad and unqualified right to obtain information from data controllers. From a
practical perspective, retrieving data, particularly from on-line systems, can however be a lengthy and
costly exercise1, and in its current form, Article 12 does not require the data subject to ensure that any
request he/she might make is both proportionate and justified. Moreover, there are no specific provisions
in the Directive for data controllers to recover the costs incurred, and arrangement for charging at national
level generally set a very low ceiling on what a data controller can charge for retrieval. VON believes that
Article 12 must strike an appropriate balance between the interests of both the data subjects and the data
controllers and thereby needs to include additional safeguards to protect data controllers from malicious or
vexatious requests from data subjects. Introducing a requirement of proportionality and the need to
justify access requests could certainly improve the current imbalance without diminishing the rights
enjoyed by data subjects.

Moreover, whilst VON believes that the concept of data minimisation included in the Directive could
benefit from additional clarifications. For instance, this concept can only work as long as the concept of
personal data is defined in a limited and proportionate manner, hence ensuring a broader understanding of
what constitutes anonymised data.

1
ISPs, for example, often have to search data sources on several different systems to satisfy a customer requests for copies of data
held on them, such as web logs, email logs, subscriber databases, billing platforms etc.

3
 VON Europe
Comments on the Commission’s Data Protection Communication

The concept of personal data is also relevant in this context. Having a suitable definition of personal data is
key because it is the element that triggers the application of the data protection Directive today.

The current binary definition (personal Vs. not personal) might not be suitable for the current scenarios of
data collection and use, especially as the amount of data created explodes. Society currently produces
more digital information every three days than it did in the entire period up to 2003. Simultaneously,
advances in statistical analysis make it very difficult to say with certainty that a specific piece of information
could never be linked to an identified individual, given substantial effort and enough related data. In this
context, it is important to focus on the probability of linkability to personal data or to other data that will
result in the creation of personal data rather than on the mere possibility of linkability.

The rights of individuals will be adequately protected if data is processed so that all means likely to be
reasonably used to identify the said person will fail. In particular, it is our contention that ‘coded’ data
should typically not be regarded as personal data in the hands of a recipient organization, where they have
no practical or legal means to access the ‘key’ held by a disclosing legal entity (for example an IP address in
the hands of a website operator rather than the ISP).

VON also believes that there might be room for a third category of data, namely indirectly identifiable data,
which could be subject to adequate protection measures that are adapted to avoid the likability and
therefore becoming personal data. This type of data could trigger an obligation to keep the data securely
and confidentially, and pass that obligation to processors of the data. In addition, it could be subject to an
obligation not to seek the identification of individuals.

We have strong reservations as regards the introduction of an unlimited “right to be forgotten” that goes
beyond the provisions on data retention and the right to object to the processing of personal data, and
which could create false expectations amongst consumers whilst setting a threshold for online players
that is simply impossible to meet. To be workable, this right must draw clear distinctions between user
data – i.e. data that the user inputs directly, such as photos or names of friends –and data created by the
service provider (i.e. metadata, derivative data). The scope of “user data” will need to be clearly defined in
order to avoid different Member States taking different approaches. This right also should not require data
controllers to do the impossible. In the online context certain technologies may not be capable of enabling
users to “remove all tracks.” In this context, the lack of clarity as regards to what constitutes a controller
and a processor (concepts of the pre Internet area) become apparent and in particular since many online
providers act as ‘’intermediaries’’ defined in the context of the Ecommerce Directive adopted after the
General Data Protection Directive. In many instances, intermediaries are processors and therefore acting
entirely on behalf of the data controller. It should be clear that the ultimate responsibility for data
protection compliance relies on the controller (even in cases of user generated content posted on web
platforms). At a minimum, intermediaries when acting as controllers should be subject to the same
liability limitations in the area of privacy and data protection than those outlined for cases of copyright
and defamation in the eCommerce Directive. This is particularly relevant as an ill defined ‘’right to be
forgotten’’ could lead to a general monitoring of the Internet obligation by intermediaries long ruled out
in the EU as non viable in the Internet.

4
 VON Europe
Comments on the Commission’s Data Protection Communication

VON would also like to comment on the concept of "consent" (section 2.1.5 of the Draft
Communication), which raises a number of problems when it comes to its interpretation by different
Member States and requires multinational companies to take advice in each jurisdiction about consent
(and in the online environment in which VON’s members are active, SMEs going online are nearly
automatically ‘multinationals’ as their services, applications and products are available on a global scale).
VON believes the Commission should clearly state that all types of consent ought to be admissible, as long
as they comply with the other requirements of the EU legal framework as to being fully informed. If existing
national laws do not recognise this, those laws should be changed as they are unhelpful, generally, in an
electronic commerce context. Moreover, Article 7 of Directive 95/46 stipulates that the processing of
personal data is considered legitimate if, inter alia, “the data subject has unambiguously given his consent”.
However, the Directive gives no guidance as to how this consent can be obtained and the interpretation of
this concept varies from one Member State to another as a result, as does the notion of “unambiguous”.
This lack of consistency is particularly problematic for data controllers, such as online service and content
providers, operating across EU borders and can considerably increase administrative costs. Finally, the
concept of “legitimate interests” under Article 7(f) of Directive 95/46 appears to have been given a differing
interpretation by regulators in different Member States. This throws companies in those jurisdictions back
to, in many cases, the obtaining of consent. The Communication provides some thoughtful guidance as to
the role of transparency and user control, two elements that should directly inspire what the EU ought to
understand under “’informed consent”.

2.2. Enhancing the internal market dimension

2.2.1. Increasing legal certainty and providing a level playing field for data controllers (increased
harmonisation)
2.2.2. Reducing the administrative burden (simplification and harmonisation notification e.g. through EU-
wide notification)
2.2.3. Clarifying the rules on applicable law and Member States' responsibility (protection to EU citizens
regardless of location controller)
2.2.4. Enhancing data controllers' responsibility (mandatory appointment of data protection officer and
data protection impact assessment when risks e.g. in case of profiling or video surveillance and promoting
privacy by design)
2.2.5. Encouraging self-regulatory initiatives and exploring EU certification schemes

EU national legislation is all based on Directive 95/46 which is a classic single market directive, with a
primary objective being to remove barriers to the free flow of data in the Internal Market. As stated
previously, VON does not consider that this aim has been fully achieved in this area (Sections 2.2.1 and
2.2.2 of the Draft Communication).

It is a complicated and costly exercise to try to comply with the range of current data protection laws in the
EU. An example is the differing interpretations of the provisions of Articles 25 and 26, such that in some
countries no formalities must be observed with the national regulator, whereas in others there are filing
and/or prior approval requirements, up to a point where companies active online need to take specific
advice in each jurisdiction.

5
 VON Europe
Comments on the Commission’s Data Protection Communication

For online companies such different standards in different jurisdictions are extremely burdensome, as
they add to system development costs, legal costs in understanding the differing requirements, logistical
costs in regards to location of servers, etc. without clearly increasing the level of protection for consumers.
A unified system with which it is easy to comply is a better protection, as compliance with such a set of
rules is easier to achieve.
VON urges the European Commission to take further steps to ensure that Member States take a more
harmonised approach to data protection law.

VON recommends that the Commission consider the following modifications in order to foster a real
single market approach:
 Provide additional guidance in order to make the list in Article 19(1) of information to be provided
exhaustive;
 Allow a data controller to register in one Member State (the country where the data controller has its
main establishment in the EU) and consider this registration sufficient to comply with the requirements
of Article 18 across the European Union.

As regards the rules relating to applicable law (Section 2.2.3 of the Draft Communication) Directive 95/46
was adopted at a time before the Internet and on-line transactions became an everyday part of business in
the EU, and their growth a major objective of the European Commission’s EU2020 Strategy and its Digital
Agenda. Article 4 of the Directive sets out the circumstances under which a Member State may apply their
national regulations to the processing of personal data, and the principles it set out clearly show the limits
of this Directive in light of the growth of the Internet (even though it is true that it has been complemented
by the ePrivacy Directive). With the increase of networked data services at a global level, an increasing
amount of data is both transferred and accessed across international borders. The implications of Article 4
in the online environment constitute a significant extra-territorial extension of jurisdiction and place some
significant obstacles in the way of international business. For example, data accessed from a remote
location within the EU but which resides on a data base in a jurisdiction outside the EU could be considered
to be ‘processed’ in the EU and therefore subject to Directive 95/46. Such broad interpretations create
considerable uncertainty for providers of cross-border services. Larger companies have responded to this
by adopting EU standards of data protection across all business units in all locations worldwide. However,
this might not be feasible for smaller organisations and does not offer a sustainable solution to address
situations where companies may be accessing data which are controlled by a third party.
VON therefore encourages the European Commission to review the scope and operation of Article 4 in the
light of technological developments. The current drafting of this article should, in our view, specifically be
re-examined in the light of the growth of the Internet and the development of online databases. The
Commission should aim to eliminate unintended legal uncertainties and to bring Directive 95/46 in line
with the country of origin principle enshrined in all Single Market Information Society Directives.
VON supports the idea suggested in the Article 29 Working Party's opinion on applicable law that there is a
need to adopt an applicable law rule and shares the Article 29 Working Party's perspective that where a
company operates across multiple EU member states, the law applicable to its operations should be that of
its main establishment.

6
 VON Europe
Comments on the Commission’s Data Protection Communication

On a different note, VON welcomes the fact the Commission is considering encouraging self-regulation in
the area of privacy (Section 2.2.5). Practice shows that in the online environment specifically, self –
regulatory initiatives have already achieved many positive results and have shown how the process of
building best practices can evolve. However, some Member States’ systems do not allow them the
flexibility they need to support self-regulatory approaches as a means of fulfilling their obligations under
EU law. The Commission should therefore consider measures to ensure that Member States’ own legal
frameworks accommodate and encourage self-regulatory approaches. In particular, we would strongly
recommend the full revision of the mechanism by which codes of conduct related to privacy are adopted in
the EU. Currently, codes of conduct require the approval of the Article 29 Working Party, which has proved
to be an inadequate method, as only a couple of codes of conduct have been adopted through this
mechanism since the Directive came into force in 1998.
VON also find it important to consider approaches that involve a self-certification regime in a pragmatic
and not too burdensome manner and asks the Commission to take a much more active role in promoting
self-regulatory and co-regulatory mechanisms.

2.3. Revising the data protection rules in the area of police and judicial cooperation in criminal matters

VON has no comments on this section.

2.4. The global dimension of data protection

2.4.1. Clarifying and simplifying the rules for international data transfers (streamline BCRs, clarify adequacy
procedure and define core EU data protection elements for international agreements
2.4.2. Promoting universal principles (legal and technical standards in third countries, principle of
reciprocity, standardisation)

Chapter IV of Directive 95/46 sets out a framework for the transfer of personal data to countries outside
the EU. Article 25 on the one hand permits data transfers to third countries deemed to provide an
“adequate” level of protection for personal data. Article 26 on the other hand sets out under what
circumstances data can be transferred to third countries that are not deemed to have adequate laws
protecting personal data.
These provisions create many difficulties for companies operating in an international environment and
have failed to answer the specific needs arising out of the growth of electronic communications tools, and
notably the Internet. The growth of the Internet has considerably increased and complicated the
interactions within the supply chain as well as the legitimate need for data transfers between companies,
particularly in the online sector.
In light of these evolutions, the requirements of Article 26 appear disproportionately prescriptive to the
point that they risk hampering legitimate business processes. Experience shows that, transfers to and from
other companies who may not be familiar with EU legislation is a major problem resulting in a lengthy
educational process and protracted negotiations over contractual provisions.

7
 VON Europe
Comments on the Commission’s Data Protection Communication

VON believes that the Chapter IV provisions on data transfers of Directive 95/46 could be made more
effective in practice while still preserving the rights of data subjects. In particular, we would
recommend:
 allowing the European Commission to recognise intra-group agreements on transfers of personal
data, irrespective of whether they act as processors of controllers, but adapting the rules
accordingly;
o Address also onward transfers
o Subject to either
 One set of EU wide defined rules (preferred) or
 One set of national rules, based on objective criteria (for instance where the
organization has its main operations in the EU)
o Under the authority of one leading regulator.

 a review of the EU model contract terms to adapt them and to introduce greater flexibility for
data controllers, make the process more timely and facilitate the use of the exceptions under
Article 26;
 reviewing or offering clearer guidance on the standards of (i) obtaining the “unambiguous
consent” of data subjects for transfers and (ii) the requirement that transfers be “necessary” for
the performance of a contract;
 extending the Safe Harbor agreement;
 ensuring Member States apply uniform procedural requirements when using Standard
Contractual Clauses and that onward transfer to a data processor and multi-party transfers are
allowed.

2.5. A stronger institutional arrangement for better enforcement of data protection

Rules (status and power of DPAs, cooperation, Art 29 WP and its transparency or other alternative)

Assessing the effectiveness and scope of enforcement of existing rules is critical in the evaluation of
“gaps” that may exist in terms of privacy. The issues that arise are often the consequence of a lack of
enforcement for a variety of reasons. VON supports a strengthened enforcement approach, as defined in
its broadest sense, namely “any action leading to better compliance, including awareness raising activities
and the development of guidance (…) the undertaking of investigative actions, or even solely the imposition
of sanctions” (WP 101 p. 3).

However, we believe that enforcement is not as effective today as it could be if DPA resources were more
flexibly focused on reduction of harm to citizens, rather than on ex ante paperwork. Such a change would
be a win-win scenario – more enforcement success for DPAs, better protection for citizens, and less
administrative burden for economic operators.

Articles 29 to 31 of Directive 95/46 set in place a working party of national authorities to perform a
supervisory and advisory role with respect to the implementation of the Directive (the so-called Art. 29
Working Party). These Articles however do not stipulate a mechanism for consultation of interested
parties, let alone the obligation to consult at least in certain areas. The need and benefits arising from

8
 VON Europe
Comments on the Commission’s Data Protection Communication

consultation certainly do not need to be demonstrated any longer and seem to have become a “normal”
feature of adopting the best possible regulatory measures at both EU and national levels.

VON believes that consultation with interested parties is particularly important on matters relating to the
processing of data on-line which must take full account of what is both technically feasible and
proportionate in terms of cost. VON therefore urges the Commission to put in place the necessary
safeguards to ensure that the Article 29 Committee has a formal obligation to pro-actively consult with
interested parties on issues which are to be the subject of an opinion, and to take into account the
feedback received. VON moreover believes that the Art. 29 Working Party and the EDPS should remain
advisory bodies. The European Commission has the legitimacy to take decisions regarding the
interpretation of the new instrument, as it would naturally take into account the internal market dimension
and give consideration to the impact of its interpretations in the context of other EU frameworks and policy
objectives (e.g. innovation, competitiveness).
*
* *
We thank you in advance for taking consideration of these views. Feel free to contact Caroline De Cock,
Executive Director VON Europe, by phone (+ 32 (0)474 840515) or email (cdc@voneurope.eu ) should you
need further information.
About VON Coalition Europe

The Voice on the Net (VON) Coalition Europe was launched in December 2007 by leading Internet communications
and technology companies, on the cutting edge – iBasis, Google, Microsoft, Skype and Voxbone – to create an
authoritative voice for the Internet-enabled communications industry.

The VON Coalition Europe notably focuses on educating and informing policymakers in the European Union in order to
promote responsible government policies that enable innovation and the many benefits that Internet voice
innovations can deliver.