Barcelona, 17 de octubre 2013.- Ecommerce Europe states 10 recommendations for a data protection regulation. Online merchants seek an effective, flexible and efficient regulatory framework on privacy and data protection that stimulates growth and trust in (cross-border) e-commerce.
Recommendation 1: Further clarification on the concepts and definitions of ‘personal data’ and ‘data subject’ which should imply a context- and risk based approach towards personal data processing.
Recommendation 2: Ensure that a separate provision in article 4, explicitly states that the concepts of ‘pseudonymous data’, ‘encrypted data’, and ‘anonymous data’ will NOT be con- sidered personal data as such, and shall therefore fall outside the scope and the requirements as set out by the General Data Protection Regulation.
Recommendation 3: Change the requirement for ‘explicit con- sent’ (as proposed in article 4.1(8) draft General Data Protec- tion Regulation) into ‘unambiguous consent’.
Recommendation 4: Leave open the possibility for data subjects to consent by appropriate device settings, pre-ticked boxes and clearly communicated default options.
Recommendation 5: The exception of ‘legitimate interests pur- sued by a controller’ is an open norm, which should not be fixed by limitative enumerations of possible superseding interests in a legally binding article.
Recommendation 6: Extend article 6.1(f) by taking into ac- count the “legitimate interests pursued by, or on behalf of a controller or a processor, or by a third party or parties in whose interest the data is processed”.
Recommendation 7: The supervisory authorities and the court should be authorized/equipped to balance the interests of the data controller against fundamental rights and freedoms of the data subject.
Recommendation 8: Remove the proposal for a ‘Right to be Forgotten’ and strengthen the effectiveness of the existing right for individuals to have their data deleted or to withdraw their consent as laid down in Directive 95/46/EC.
Recommendation 9: Replace the right to data portability by the right to obtain data and limit its scope to user generated content, and thus, to social networks in particular.
Recommendation 10: Narrow the scope of Article 20 draft General Data Protection Regulation to profiling with negative/ adverse effects on privacy of the data subject only, and clarify (through a recital, potentially) that profiling carried out for direct and digital marketing purposes falls outside its scope.
The requirement for ‘explicit consent’ proposed in the Commission’s draft Data Protection Regulation places unneces- sary burdens on both consumers and merchants. Ecommerce Europe fears a significant imbalance for businesses in terms of security requirements and additional costs. This strict require- ment will impede the pragmatic, balanced and fair use of personal data and the free flow of information, which are crucial interests for the e-commerce industry. Moreover, adding the ‘explicit’-requirement, will result in user-unfriendly solutions for acceptance, placing unnecessary burdens on the consumer. A context-based approach to consent requirements, depending on the sensitivity of the data processing activities, is preferable.
Ecommerce Europe would like to emphasize that the privacy impact of personal data processing is context-dependant. Therefore, a risk based consent rule, depending on the specific circumstances and the context, is a more suitable approach.
The responsible use of personal data builds on the idea of transparency to create consumer trust and awareness. The data subject should be fully aware of what is going to happen, and have the ability to make a free and informed deci- sion about the processing of its data for a specified purpose. In this sense, the principles as proposed in Article 4 of the draft regulation requiring “freely given, specific, and informed consent”, prove to provide sufficient protection for the data sub- ject. Therefore, unambiguous consent ensures a fair balance between the interests of data subjects and the e-commerce industry.
In addition, Ecommerce Europe supports leaving open the possibility of consent by appropriate device settings. Under certain circumstances, clearly communicated default options or pre-ticked boxes should be deemed as valid means to acquire consent. This idea will do justice to both consumers’ interests regarding user friendly solutions and legal certainty, as well as businesses’ interests with regard to keeping additional costs to a minimum by means of a uniform technical standard. The requirement for ‘explicit consent’ hampers the possibility for the industry to introduce such systems.
As proposed, ‘pseudonymous data’, ‘encrypted data’, and ‘anonymous data’ shall fall outside the scope and the require- ments as set out by the General Data Protection Regulation and therefore require no consent before being processed.
Article 6.1(f) allows for the processing of personal data if the legitimate interests of a controller supersede the fundamental rights and freedoms of the data subject. Both, legitimate inter- ests of the controller and the fundamental rights and freedoms of the data subject, are open norms that leave much room for interpretation. Ecommerce Europe emphasizes the importance of open norms and generally objects to amending more strict requirements for the processing of personal data.
In e-commerce, direct marketing and profiling in particular are crucial interests for data controllers. These interests should not be excluded as a rule, but should always be balanced against the fundamental rights and freedoms of the data subject. There- fore, amendments specifying conditions for superseding legitimate interests are welcomed, as far as they serve as guidance for both parties (controller and data subject) for a better understanding of the interpretation of these norms, or if they would serve as a contribution to the burden of proof of the data controller.
Administrative burdens and costs of mandatory consumer infor- mation should be kept to a minimum. It is therefore undesirable for data controllers to publish the reasons for believing their interests are superseding the fundamental rights and freedoms of the data subject at all times.
Ecommerce Europe stresses the importance of third-party pro- cessing in e-commerce. Not only can the legitimate interest of the controller provide a legal basis for processing, but also for the legitimate interests of a third party to which the data have been transferred.
Right to be forgotten
The ability to withdraw personal information is laid down in Di- rective 95/46/EC. The rule that private data may only be stored for a limited time supplemented by the right of individuals to have their data deleted and / or withdraw their consent, already forms, strictly speaking, a “right to be forgotten”. Ecommerce Europe believes that the introduction of a new “right to be for- gotten” is therefore unnecessary and could create redundancy with these provisions.
The right to be forgotten as proposed in Article 17 of the draft Regulation seems to be more in line within a context of social networks, assuming that data subject should be able to erase user generated content, which is content that is generated by the data subject itself. Traders have a wide range of obligations to keep data on transactions for the sake of bookkeeping, customer warranty, tax-obligations, and more. Imposing a right to be forgotten in the e-commerce sector can lead to serious and unwanted con- sequences, such as additional costs and barriers by technical impossibilities.
Taking into account the real practice of profiling in ecommerce activities, Ecommerce Europe believes that the current defini- tion of profiling in the draft Regulation leads to an unjustified and misleading tendency. It unjustly implies that all automated decisions are profiling decisions, which are interchangeable and have a huge privacy impact.
Ecommerce Europe would like to highlight the benefits and value of profiling for marketing purposes for both the controller and the data subject. In the current information society, profiling is a fundamental part of commercial, political and charitable business processes and is essential for the functioning of the internal market.
Legitimate profiling is not a harmful activity. It is used to identify loyal customers and provide them with relevant information, special promotions and discounts. It is a tool used by organiza- tions in every market segment, including commercial and non- profit, in pursuit of a legitimate business interest.
The legitimate interests to carry out profiling have been recognized by the Council of Europe in its Recommendation (2010)13. Ecommerce Europe considers it is important that the balance found in the Council of Europe Recommendation be reflected in the proposed Article 20. It therefore strongly advo- cates changing the title of Article 20.
Ecommerce Europe questions the usefulness of the “right to data portability” in the e-commerce sector as laid down in Article 18 of the draft Regulation. In stead, it rather welcomes the strengthening of existing rights, such as the right of access, rectification and erasure and the newly proposed right to obtain data.
Imposing a right to portability or the right to obtain data in the e-commerce sector can lead to additional costs for businesses. For example, companies will have to develop new systems for data management and provide structured electronic formats only containing the data subject’s “personal” data.
It is also expected that this right will discourage companies from implementing innovative services, because sensitive commercial information is allowed to be transmitted to competitors. Moreover, the value of this provision for data-protection inter- ests to data subjects in the e-commerce sector is questionable.