Tweet Data

Five Steps to a More Coherent Data Framework for Europe’s Single Market

For any data-driven enterprise hoping to grow its operations in Europe today, the vaunted Single Market is a chimera. Rather than a harmonized legal framework and clear rules for how companies must safeguard people’s personal information and preserve their privacy, one finds a confusing patchwork.

Take the example of a cloud computing service that offers software tools, data storage, and processing power for enterprise-level clients to use in running their operations. The technology architecture of such a service should easily allow the cloud provider’s physical headquarters to be located in one country, its servers to be located in another, and its customers to be spread all over Europe. (Such economies of scale are in fact the very point of cloud computing.) The cloud service provider’s client companies, in turn, could have their own customers in any number of different locations.

But which country’s privacy and security regulations would cover which sorts of enterprise data in which circumstances? And under what circumstances and under which rules can the data be moved from one location to another? Today, it is very difficult to know. There are different definitions of what constitutes personal data, different rules for how data can be processed and transferred across borders, and different legal obligations for data controllers.

The problem is that 1995 Data Protection Directive, which was intended to create a common set of rules for the EU, has instead allowed a great deal of leeway for member countries to interpret and implement its requirements. The result has been hopeless fragmentation, which has led to legal uncertainties for businesses, their customers, and consumers. But now the Directive is up for review, providing a welcome opportunity to fix its flaws.

The Business Software Alliance and 10 other associations have coalesced around a set of recommendations to create a robust legal framework that clarifies the rules for data protection in Europe. We are offering them today to European Commission Vice President Viviane Reding, who is overseeing the review. Our submission includes five concrete proposals:

  1. To create a more cohesive Single Market, we suggest that the Directive be revised to create a single set of rules that covers all EU member countries and all types of enterprises, regardless of which technologies they use. To do this, the framework must be flexible and technology-neutral.
  2. To eliminate confusion about which laws apply in which circumstances, we recommend adopting a “country-of-origin” principle. This would allow each data controller to be subject to a single set of rules across the EU. For example, the country of origin could be the EU member state where the data controller’s main establishment is located.
  3. The Directive should streamline and simplify the rules for transferring data across international borders to ensure robust data protection while also allowing timely transactions and seamless operations. The current system makes it very cumbersome to send data in and out of the EU.
  4. Revised data protection rules should reduce administrative burdens on entities that handle data by abolishing or streamlining unwieldy notification and registration requirements. As an alternative, there should be a harmonized way for enterprises operating across Europe to voluntarily appoint data protection officers who will be responsible for high-risk data breaches.
  5. The new EU legal framework should introduce a context-based model of consent that allows data controllers to consider the circumstances of a given transaction and choose the most contextually appropriate ways of giving people necessary information, obtaining their consent, and empowering them to control how their data is used.

Together, these recommendations will help achieve the right balance between preserving privacy, protecting data, promoting innovation and enabling a free flow of information in a true Single Market for data.

Click here for a copy of the Joint Association paper on proposals for a “New EU legal framework on data protection.”

Thomas Boué


Thomas Boué oversees the BSA | The Software Alliance’s public policy activities in the Europe, Middle East and Africa region. He advises BSA members on public policy and legal developments and advocates the views of the ICT sector with both European and national policy makers. He leads on security and privacy issues as well as broader efforts to improve levels of intellectual property protection and to promote open markets, fair competition, and technology innovation in new areas such as cloud computing.

Prior to joining BSA, Boué served as a consultant in Weber Shandwick where he advised clients on a wide range of technology and ICT-related policy issues and represented them before the EU institutions and industry coalitions. In this role, he also served as policy and regulatory adviser for both EU and US telecom operators. Prior to that Boué worked for the EU office of the Paris Chamber of Commerce and Industry where he was responsible for the lobbying activities towards the EU Institutions in the areas of trade, education, and labor, as well as for the organization and running of seminars on EU affairs for SMEs and business professionals.

Boué holds a Master of Business Administration from the Europa-Insitut (Saarbrücken, Germany), a Certificate of Integrated Legal Studies (trilateral and trilingual Master’s degree in French, English, German and European Law, from the Universities of Warwick (UK), Saarland (Germany) and Lille II (France) as well as a Bachelor of Arts in Law from the University of Lille II, France. He is based in BSA’s Brussels office.

Leave a Reply

Your email address will not be published. Required fields are marked *

fifteen + one =