For any data-driven enterprise hoping to grow its operations in Europe today, the vaunted Single Market is a chimera. Rather than a harmonized legal framework and clear rules for how companies must safeguard people’s personal information and preserve their privacy, one finds a confusing patchwork.
Take the example of a cloud computing service that offers software tools, data storage, and processing power for enterprise-level clients to use in running their operations. The technology architecture of such a service should easily allow the cloud provider’s physical headquarters to be located in one country, its servers to be located in another, and its customers to be spread all over Europe. (Such economies of scale are in fact the very point of cloud computing.) The cloud service provider’s client companies, in turn, could have their own customers in any number of different locations.
But which country’s privacy and security regulations would cover which sorts of enterprise data in which circumstances? And under what circumstances and under which rules can the data be moved from one location to another? Today, it is very difficult to know. There are different definitions of what constitutes personal data, different rules for how data can be processed and transferred across borders, and different legal obligations for data controllers.
The problem is that 1995 Data Protection Directive, which was intended to create a common set of rules for the EU, has instead allowed a great deal of leeway for member countries to interpret and implement its requirements. The result has been hopeless fragmentation, which has led to legal uncertainties for businesses, their customers, and consumers. But now the Directive is up for review, providing a welcome opportunity to fix its flaws.
The Business Software Alliance and 10 other associations have coalesced around a set of recommendations to create a robust legal framework that clarifies the rules for data protection in Europe. We are offering them today to European Commission Vice President Viviane Reding, who is overseeing the review. Our submission includes five concrete proposals:
- To create a more cohesive Single Market, we suggest that the Directive be revised to create a single set of rules that covers all EU member countries and all types of enterprises, regardless of which technologies they use. To do this, the framework must be flexible and technology-neutral.
- To eliminate confusion about which laws apply in which circumstances, we recommend adopting a “country-of-origin” principle. This would allow each data controller to be subject to a single set of rules across the EU. For example, the country of origin could be the EU member state where the data controller’s main establishment is located.
- The Directive should streamline and simplify the rules for transferring data across international borders to ensure robust data protection while also allowing timely transactions and seamless operations. The current system makes it very cumbersome to send data in and out of the EU.
- Revised data protection rules should reduce administrative burdens on entities that handle data by abolishing or streamlining unwieldy notification and registration requirements. As an alternative, there should be a harmonized way for enterprises operating across Europe to voluntarily appoint data protection officers who will be responsible for high-risk data breaches.
- The new EU legal framework should introduce a context-based model of consent that allows data controllers to consider the circumstances of a given transaction and choose the most contextually appropriate ways of giving people necessary information, obtaining their consent, and empowering them to control how their data is used.
Together, these recommendations will help achieve the right balance between preserving privacy, protecting data, promoting innovation and enabling a free flow of information in a true Single Market for data.