Digital

A single market for privacy

Europe needs a level-playing field for privacy and data protection.

Member

A photo of José María Álvarez-Pallete

José María Álvarez-Pallete

Telefónica

Company

Ecosystems

Digital

One of the most important lessons from the Covid-19 crisis is that connectivity is now fundamental for our economic and social activities. High-capacity networks like fibre and 5G are an essential precondition to digital transformation. The investment challenge for fibre and 5G rollout is daunting, and operators are looking at combined outlays of hundreds of billions of euros.

The EU is already far behind the US and Asia: 5G networks in the EU reached less than 25% of the population in Q3 2020, while in the USA 76% of the population is already covered by 5G and 93% in South Korea.

So, what can Europe do to attract more private investment for fibre and 5G? One way is by setting rules to become a true digital Single Market that includes creating a fair and harmonised data protection regime.

Building on the success of GDPR
The General Data Protection Regulation (GDPR), the global gold standard for data protection and privacy, came into force in May 2018. It created enforceable rights for data usage for Europeans and became a global reference point for data protection. It is a regulation that Europe can be proud of as a guide to its transition to a value-based data economy.

Unfortunately, it has not fulfilled one of its key promises for business: to create a harmonised data protection regime and level-playing-field across the EU for business. Data protection authorities in the EU Member States interpret various provisions of the GDPR differently. This undermines the Single Market, hampers innovation and creates problems for companies operating in more than one member state. In the first Evaluation Report on the application of GDPR published in June 2020, the European Commission itself recognised that still a degree of fragmentation exists and “creates challenges to conducting cross-border business, innovation, in particular as regards new technological developments and cybersecurity solutions”

Added to this, to date there has been a lack of consistency in the way EU Member States are enforcing the rules, as evidenced by the wide disparities in fines. For example, while the Spanish authority has issued 212 fines to companies over GDPR, the Swedish authority has enforced fines in just 17 cases. The figures in fines also vary, from €76m in Italy to €1.8m in Poland. Against the backdrop of an accelerating digital transformation, these differences are creating legal uncertainty for companies and they undermine the Single Market.

The case for European data spaces
There are also sectoral areas where the GDPR provisions are unclear, mainly health and finance. The acceleration in the use of digital technologies is creating huge volumes of data, so when it comes to building European data spaces, it is especially important that they are founded on a harmonised implementation and interpretation of GDPR – one that empowers the free movement of data across the EU.

In this regard, some of the opinions of the European Data Protection Board – the independent body set up ensure consistent application of the GDPR – depart from the text and the spirit of the legislation. They focus instead on a narrow and static interpretation of its provisions like the guidelines on data portability, the guidelines on contractual necessity as a legal basis for data processing, or the guidelines on privacy and connected cars.

Last, but by no means least, the promise of generating a harmonised regime through GDPR has been eroded over the past four years, as the European Commission has pushed divergent sector- specific rules with its proposed ePrivacy Regulation. This draft legislation departs from the GDPR by imposing stricter requirements for data processing provisions. It confuses consumers and creates unfair conditions across the Single Market.

How to move forward
For all its success as a global standard, GDPR can be improved upon. In simple terms, we need to avoid any situation in which the same data would be subject to different rules depending on who is processing them, or ePrivacy rules imposing stricter obligations on providers of communications services than GDPR on other entities.

GDPR cannot achieve its full potential if it runs in parallel to outdated ePrivacy sectoral rules and static interpretations of privacy. In his comparative analysis of ePrivacy Regulation and GDPR, Prof. Zwenne from Leiden University concluded that “it is unclear what the added value of ePrivacy Regulation is, either in terms of enhancing data protection rights or supporting the free movement of data and services”.

The problem is that the current draft ePrivacy regulation would not improve the situation of European consumers but just generate new regulatory hurdles for network operators. That is why the ePrivacy Regulation proposal should be withdrawn and replaced with one focused on creating a harmonised regime – one that can create the same high standards of privacy for all businesses operating in the EU Single Market.

 

Confidentiality
The next layer of data protection rules should focus on the confidentiality of communications. At a time of unprecedented cyber-criminality, with ransomware and malware becoming increasing common, consumers needs to be reassured that they can place their trust in the digital ecosystem. But it should also ensure flexibility for providers of electronic communications services to use metadata responsibly for the benefit of consumers and innovation.

This is about protecting privacy while providing enough data access and use, to build a bridge to innovation, growth and investments in the digital economy.
If regulation creates overly restrictive and divergent rules for EU telecom operators, it will ultimately jeopardise future growth. That will impact investments in infrastructure like fibre and 5G – and all without benefiting the privacy of Europeans.

A level playing field in privacy and data protection can protect EU citizens for the next wave of innovation, while also giving European businesses the possibility to invest, compete and create a value-based, sovereign data economy. That would create a real single market in privacy.

The EU is already far behind the US and Asia: 5G networks in the EU reached less than 25% of the population in Q3 2020, while in the USA 76% of the population is already covered by 5G and 93% in South Korea.

For all its success as a global standard, GDPR can be improved upon. GDPR cannot achieve its full potential if it runs in parallel to outdated ePrivacy sectoral rules and static interpretations of privacy.

Recommendation

Withdraw the current ePrivacy Regulation proposal and replace it with a harmonised regime focused on protecting the confidentiality of communications.

People icon

People

Goods icon

Goods

Services icon

Services

Capital icon

Capital