Data Protection Ensuring high level of privacy while promoting business innovation and competition

Transcription

1 Data Protection Ensuring high level of privacy while promoting business innovation and competition Tele2 AB, Skeppsbron 18 P.O Box 2094, SE STOCKHOLM, SWEDEN Tel , Fax Org nr , 1

2 Executive summary The current Data Protection Directive 1 came into force over 15 years ago. While the Directive has provided data subjects within the European Union a high level of protection of their personal data, it is now considered outdated. The main reason for it no longer being considered to be fully sufficient is the rapid technological developments in recent years. Although the core principles and many of the essentials concepts of the Directive shall still be seen as valid, it has become evident that European Data protection regulation needs to be revised to fit current and future innovative developments. In the Proposed Regulation, published by the Commission in January 2012, there are many positive adjustments, such as increased harmonization. However there are also some alterations that raise concern. The Proposed Regulation as it stands now would remake the landscape in Europe in regards to data protection. Tele2 would like to share our views and experiences in regard to data protection in this position paper. We will also propose alterations to principles which are considered to have significant impact on individual s privacy experience, as well as provisions which are expected to have a negative effect on innovation and technological development for European businesses. The most significant provisions and concepts are the following: I. Protection of individuals data shall be technological and sector neutral In order to ensure end-user consistency and to avoid disproportionate burdens for the telecommunication sector Tele2 encourage revising the Proposed Regulation so to ensure that there are no overlapping obligations between the upcoming Regulation and the e- privacy Directive. In order to avoid any uncertainty of applicable law and in order to circumvent divergent and potentially conflicting principles in the time elapsing between the Regulation coming into force and the e-privacy directive potentially being revised, the overlapping provisions of the e-privacy directive shall be repealed by the Regulation II. Harmonization create trust and foster economic growth A Regulation, which is directly applicable in member states will safeguard a consistent application of data protection rules across EU. The harmonized approach will ensure a high level and consistent protection of personal data across EU; this is believed to enhance trust which will generate a well-functioning internal market. The fact that the Proposed Regulation is applicable to all companies offering services to individuals residing in the EU will secure a consistent application of data protection for data subjects situated in EU and ensure a level playing field for European companies providing services within the Union. III. Ensuring consistent application high level cooperation and one-stop shop A Regulation will not on its own achieve full harmonization. In order to achieve a high level of harmonization there is also a need for comprehensive cooperation among Data protection 1 Directive 95/46/EC of the European Parliament and of the Council, on the protection of individuals with regard to the processing of personal data and on the free movement of such data - hereafter referred to as the Directive. 2

3 authorities ( DPA ). The Regulation contains several provisions which are meant to accomplish this, including an obligation for DPAs to communicate certain enforcement and compliance measures it intends to take in advance to the Commission and the European Data protection Board. For a company such as Tele2 this is something very positive, as it will ensure that the Regulation will be applied equally across EU. Furthermore the fact that a company established in many member states will only be supervised by the DPA of the member state where the company has its main establishment is of great benefit. This will create a more business-friendly regulatory environment since it will lead to an efficient and consistent application of data protection rules across EU. IV. Personal data clarified definition and enhanced scope for anonymization A clear definition of personal data is critical in relation to processing of personal Data both for data subjects and for data controllers. Tele2 therefore welcomes the clarification of what shall be considered as personal data in the Proposed Regulation. However an overly inclusive definition of personal data is believed to lead to additional burdens for data controllers while not ensuring better protection of data subjects privacy. What is appreciated from the perspective of a data controller is the principle that data protection legislation does not apply to anonymous data, i.e. data that can no longer be identifiable. However a consistent application of the definition of personal data and what is considered as anonymized data is also essential and shall be monitored by the European Data protection Board, in accordance with the consistency mechanism. V. Consent suited for the online world Tele2 welcomes measures in the Regulation which will provide greater transparency, choice and control of individual s personal data. However the new rules concerning consent for legitimizing data processing is believed to be too burdensome and restrictive both for data subjects and businesses while at the same time not enhancing the level of protection for individuals privacy. Tele2 sees a risk of consent fatigue causing end users to consent by reflex. In order to construct a future proof legislation that ensures that data controllers capture the true will of the end users, in regards to the processing of their personal data, it needs to leave room for flexibility. VI. Processing personal data - safeguards The strengthening of the general conditions for data processing is seen as positive. The fact that data subjects will get enhanced knowledge of their rights in regards to processing of personal data is believed to lead to a greater level of trust, especially in the online world. However some of the new provisions may rather create situations where data subjects receive too much information. There is also a risk that some of the new provisions may hamper companies ability to develop new services in an effective manner. VII. Administration actually cutting red-tapes One of the aims of the new Proposed Regulation was to cut red-tapes and to reduce administrative burdens which have proven to be excessive since they do not enhance privacy 3

4 for individuals. 2 The elimination of the current notification system is positive however the new requirements of new extensive documentation obligations and impact assessment add new bureaucracy measures will drive costs for data controllers even though it has not been established that these measures will lead to better protection of personal data. Tele2 believes that in order to reduce administrative burdens while also ensuring a higher level of protection of data subjects personal data the Regulation shall rather build on the principle of accountability. VIII. Proportionate sanctions when harm has been caused by non-compliance In order to ensure harmonized application of the Regulation a consistent approach to sanctions for non-compliance is essential. However it is outmost important that the level of sanctions introduced are proportionate, fair and applied according to objective criteria. Sanctions shall furthermore take into account the circumstances and harm that has been caused by a breach of the Regulation. The Proposed Regulation does not take into account these requirements as of today. IX. Data breach notification Data breach notification is a measure which is already an obligation for the telecommunication sector under the e-privacy directive. The notification scheme encourages data controllers to handle personal data in a more secure manner while building third party confidence. However the 24-hour requirement in the Regulation shall be considered to be both impractical and counterproductive for the purpose of the breach notification. Tele2 rather believes notification shall take place without undue delay as currently stated in the e- privacy directive. Furthermore there is a need to narrow down the scope of when notification is needed. The current wording may preempt the aim of the obligation, since there may be an overload of notifications to the DPAs and end users (in cases where the data breach affect the privacy of data subject); hence the principle shall rather focus on personal data breaches which have serious and negative consequences on individuals. International transfers For Tele2, being a company with operations both within and outside EEA, international data transfer is important. Tele2 supports the simplified process for adopting Binding corporate rules (BCR). Tele2 especially appreciate how a company will only have to apply for one BCR for the whole Group. However we are still concerned that the provisions and rules outlaying how BCRs, from a procedural aspect, will be applied across EEA. Tele2 suggests that the administrative rules for setting up the BCR process is more clearly defined, including how to handle alterations to a BCR, in order to get the positive effect aimed for. 2 Speech 11/814 of Viviane Reding entiteled Building Truist in the Digital single Market: Reforming the EU s Data Protection Rules, delivered in Brussels on 28 November

5 Protection of individuals data shall be technological and sector neutral As an effect of the vast technological development in the area of telecommunication it was sought that a specific legal framework was needed for the telecommunication sector as to protect individuals privacy the E-privacy directive. 3 When the e-privacy directive came into force it was considered justified since the Directive did not provide sufficient guidance on how to protect individuals data in the sphere of telecommunication. However the Proposed Regulation is meant to be technology neutral and be applied equally for data processing taking place by data controllers who operate both in the on-line and off-line sphere. 4 A technology neutral and general data protection legislation will ensure a consistent protection of personal data. Therefore the provisions of the e-privacy directive which are covered by the Regulation are no longer required or desirable. The prolongation of many of the Articles in the e-privacy directive would, if they are not repealed, lead to inconsistent end user privacy experience where the data protection would differ - depending on if a service is provided by a telecommunication provider or an over the top ( OTT ) actor who fall outside the scope of the e-privacy Directive. 5 The Commission has recognized the problem but has suggested solving it by revising the e-privacy directive so that it is compatible with the Regulation however in a separate process. Tele2 is of the opinion that this is not a satisfactory solution. The reasons for this is three folded; firstly a revision of the e-privacy directive in order to make it consistent can only take place when the final text of the Regulation has been adopted. Since all revision processes are time consuming it cannot be expected that the revision of the e-privacy directive including national implementation would be able to take place within the two years from the date when the Regulation comes into force. This would lead to a period of time where the telecommunication sector would have to be compliant to two contradictory legal instruments covering the same matters. Secondly, national transpositions of a directive leave room for divergence in application. This means that the e-privacy directive may be compatible with the Regulation but national legislation based on the revised e-privacy directive may not be. Thirdly, in order to ensure a consistent application of all articles the Regulation sets out rules for consistency mechanisms where for example opinion by the European data protection board must be asked for in certain circumstance. Even if the e-privacy directive is transposed so that the national law is compatible with the Regulation the interpretation in a legal dispute may not be consistent with the Regulation and not be harmonized across EEA. Furthermore the existence of two parallel legislative frameworks for data protection for the telecom sector will not only lead to uncertainty in regards to which obligation prevails but will also create a disproportionate administrative and reporting burden for the sector who in many member states will 3 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector 4 It is stated in Recital 13 in the proposed Regulation that it shall be technologically neutral and not depend on the techniques being used. 5 For example an application provider or other service provider who has no electronic network is not considered to be a telecommunication provider, why the e-privacy Directive is not applicable. However the OTT provider may offer location services equal to those of mobile operators but based on GPS or WiFI technology. For the end user the privacy implication would in this case differ. 5

6 be monitored by two separate national authorities. 6 Considering that the privacy protection will be sufficient in the general Regulation and also taking into account the wish to ensure that the Regulation is a future proof data protection framework it cannot be considered effective, proportionate or justified to have two parallel legal frameworks for the telecommunication sector, at least not for those provisions that are clearly overlapping. The provisions in the e-privacy Directive which needs to be revoked are those dealing with location data and data breach notification. 7 Harmonization create trust and foster economic growth A legal framework which will be directly applicable to all Member States (i.e. it does not require implementation into national law) will assist in achieving a consistent application of Data protection rules across EU. The current Directive has been highly criticized for not achieving a coherent application across EU. This has led to varying outcomes in court cases which are based on very similar circumstances. Different application of Data protection rules challenges a well-functioning internal market; end-user protection differs and businesses have to attune its data protection processes for each member state they operate in to ensure they are compliant to national legislation. In an era where e-commerce is flourishing and where companies are to a higher extent providing services cross border, while at the same time trying to gain from economy of scale, equivalent application of Data protection rules is essential. Tele2 is of the opinion that the only method of accomplishing full harmonization of data protection measures is to ensure that the legal framework stems from a Regulation rather than a Directive. Also the fact that the EU data protection rules will apply to data controllers located outside the EU when they are offering their services to data subjects located within the EU is in line with ensuring that the regulation is future proof and will lead to a consistent data protection application for end users. Tele2 supports this approach however encourages the EU to consider how to, in an efficient manner, ensure that breaches of the Regulation are enforced when data controllers are based outside the EU and where they do not have a representative established in the Union. Ensuring consistent application high level cooperation and one-stop shop Close cooperation amongst data protection authorities will be essential in order to achieve the aim of the Regulation. Tele2 is positive about the enhanced cooperation obligations set out in the Regulation, for example in Article 55. Tele2 is also a supporter of the creation of the European Data Protection Board. However, the detailed rules set out in the Regulation, concerning the Board lack an obligation for the Board to be transparent and an obligation for the board to consult stakeholders before adopting different types of opinions. Both these criteria s shall be introduced in order to ensure that the work carried out by the Board obeys democratic values and principles. The fact that a group of companies such as Tele2, who have subsidiaries operating in many EU member states, may only be subject to the jurisdiction of a single data protection authority is positive. The main-establishment principle will ensure efficiency and consistency of the data 6 The Data protection authority which are responsible for monitoring the upcoming obligations under the Data protection Regulation and the National Regulatory Authority who are responsible for monitoring the obligations under the e-privacy Directive. 7 Article 2(c), 2(i), Article 4(3) and Article 9 of the e-privacy Directive. 6

7 protection rules across EU, while at the same time minimize administrative costs for Group companies. However the current definition of establishment is in Tele2s opinion very vague, it is not defined in the Regulation but only in recital 19 and the descriptions is not clear. Furthermore it is not clear how the determination of the main establishment is to be made in practice, i.e. would it be the company making the decision or will it be the DPA, and if this creates a dispute, how shall it be solved? Personal data clarified definition and enhanced scope for annonymization The definition of data subject is widened in the Proposed Regulation compared with the Directive. One thing which is still unclear is the meaning of a natural person who can be by means reasonable likely to be used identified. Furthermore there is a clarification in recital 23 stating that when data rendered anonymous in such a way that the data subject is no longer identifiable the principles of data protection does not apply. The usage of anonymization techniques is already frequently used however the definition of what is considered anonymous and when personal data is no longer identifiable must be clarified in order to avoid any ambiguity. Tele2 would also like to emphasize that processing of end user data in medium to long term when all proportionate safeguards are met shall not, by default, be prevented. Personal data is often used as a token for payment by the end users where individuals are able to use services by paying with their data. If their personal data could not be used in this manner other business models would have to be established for example one could expect that search engines would have to use some kind of subscription fee. Therefore, when all parties involved are fully aware of what type of processing will take place of the personal data, the duration for this, the purpose and usage of the data (the receivers of the analyzed data) and the end user has freely provided his/her consent, processing of data on an individual level, i.e. non annoymized data, shall not by default be forbidden. Consent suited for the online world The use of explicit consent is not believed to be suitable for all situations. An explicit consent is believed to be interpreted as an opt-in consent. In the online world this is believed to lead to an increased use of pop-up boxes which in our view may lead to a privacy fatigue where data subjects will automatically tick-in boxes without necessarily understand the implications. Furthermore data controllers bear the burden of proof for retaining consent - this means that data controllers will have to produce new systems collecting individuals consent in a suitable manner and store this, something which will add costs without necessarily leading to enhanced data subjects privacy. The Proposed Regulation states in Recital 25 that electronic consent should not be unnecessarily disruptive and that consent can be given by a clear affirmative action. Tele2 means that the wording in Article 4(8) and recital 25 creates ambiguity. In order to achieve a high level of protection for individuals data while promoting innovation and flexible use of online-activities, it should be clarified that actions such as downloading an application in itself constitutes (implied) consent for the use of personal data while using that application for its main purpose. 8 The type of consent needed for a 8 If the application provider would like to process the data for other services, marketing or other means this would not be covered by the affirmative action why a separate consent from the data subject would be needed 7

8 certain type of processing should rather build on the context of the data processing. Therefore Article 4(8) should be altered in order to be consistent with the wording of recital 25. Furthermore explicit consent, with a separate clear definition, should be limited to categories of personal data which are considered to be sensitive data as outlined in Article 9 of the Proposed Regulation. Furthermore Tele2 would like to ask for a clarification in regards to the definition of significant imbalance, as stated in Article 7(4). The wording in recital 34 provides guidance however in order to avoid misinterpretation Tele2 is of the opinion that this shall be outlined in the Article. Processing personal data safeguards Since an enhanced level of transparency and end-user knowledge of their rights concerning their personal data is believed to lead to increased trust, Tele2 supports new transparency provisions to the extent that these are proportionate. Furthermore with a high level of transparency, a strict informational obligation and the principle of accountability, other safeguards should be less intrusive. This since the data subject has a clear choice of when his/her data is being processed. One example where Tele2 believes that the regulation is not proportionate is Article 5(c) of the Proposed Regulation. The Article requires companies to limit the amount of data they collect and process. Such limitation shall not be considered necessary since controllers have the obligation to ensure that data subjects are fully aware of what data is being processed, they have freely given a specified and informed consent regarding what data is being processed, and have been informed that the data will only be processed for certain reasons and they know that they have the right to withdraw their consent at any time. With the proposed transparency rules and information obligations the limitation in Article 5 must be considered disproportionate. The right to have data erased is not a new obligation however the principle has been strengthened in the new Regulation the right to be forgotten. The wording of the right to be forgotten as it stands now will likely be difficult to apply since the scope goes too far and might raise false expectations by data subjects, especially since it will be difficult to ensure third party compliance and subsequently companies will still have to comply with other legal obligations where specific data must be retained and stored 9 In order to ensure that essential erasure of data is always carried out in an efficient manner the article should be re-phrased, there is otherwise a risk that the whole application of erasure will become ineffective. The new principle of data portability is vague and the practical application of data portability is even more unclear. One concern that Tele2 has in this regard is that data, which could be considered as business secrets, are included in data that shall be ported. In order to prevent a disproportionate application Tele2 believes that principle shall only be applicable to data which may be useful for the data subject to re-use. For example CDRs which are produced by telecommunication operators for billing purposes would not be useful for any other operator than the operator who delivered the services in the first place or for the end-user and they would not assist the end user in any way. The 9 For example obligaiton under national Accoutning Acts and the requirment unde the Data retention Directive 2006/24/EC. 8

9 scope for data portability shall therefore be limited only to data which the end-user directly can reuse. A data subjects personal data, which is being processed by a data controller shall be easily accessible for end users. Data controllers shall provide that data to end user without undue delay and without any costs. If the requests are excessive, based mainly on its repetitive character, the controller may charge a fee. In order to avoid any vagueness and in order to reduced the burden for data controllers to proof repetitive character, Tele2 believes that the regulation shall determine what shall be defined as such, for example if a data subject request information more than once a year the data controller has the right to cover its costs for providing such data. Administration actually cutting red-tapes Tele2 is positive to see that the obligation to notify data protection authorities is abolished in the Proposed Regulation. Firstly because the obligation has been applied differently across the member states and secondly because it has not been shown that the process in any way enhanced data subjects privacy. The new obligation of impact assessment is however likely to lead to new extensive internal processes, therefore it is believed that the new obligation only replaces the old one without achieving anything new. The aim of the Proposed Regulation is to ensure that data controllers ensure effective data protection. This is a policy objective which Tele2 supports, however the way the Proposed Regulation suggests to carry out this obligation shall be seen as excessive and overly bureaucratic. Data controllers have an obligation to carry out an impact assessment when the processing of personal data specific risks. 10 In Article 33 (2) (a) to (e) the categories of data which shall be seen as presenting a specific risk are outlined - Tele2 believes that this list is too descriptive. In order to ensure that data are being appropriately safeguarded and that data controllers use effective measures when processing data, while ensuring flexibility for businesses. With the current wording new services are likely to be delayed and will come with added costs. Furthermore the requirement that data protection authorities need to be consulted before the processing may take place is likely to lead to even longer delays of service launches. The obligation under Article 33(4) outlays additional concern for Tele2. The obligation sets out that data controllers shall seek the views of data subjects or their representatives (e.g. consumer organizations) on intended processing in cases where processing present a specific risk. Firstly Tele2 means that this obligation shall be deemed as disproportionate since it is not proven or even indicated that such a measure would assist in accomplishing the means of the Regulation, i.e. increase the level of privacy for individuals. Secondly, sharing sensitive commercial information, before the launch of a new service, creates a commercial concern for data controllers and could in many European countries be in conflict with legislation protecting trade and business secrets. 10 Article 33 (2) in the Proposed Regulation 9

10 Parallel to the new obligation of impact assessment is the obligation to maintain documentation of all processing operations being carried out by the data controller. 11 The overall aim of the Commission, as stated above, has been to decrease the administrative burden of data controllers and cut red-tapes, when such administrative task does not lead to improving protection of personal data. The new provision of documentation will likely reduce the administrative burden compared with the current notification obligation in Article 18 in the Directive. However the obligations as set out in Article 28 of the Proposed Regulation risk becoming nearly as burdensome as current rules since the documentation requirement stated are very detailed. In order to ensure a future proof Regulation which both improves the protection of personal data while remove obstacles of free flows of personal data and promote European businesses to grow and be innovative the principle of accountability as set out in Article 22 shall be the basis for data controllers general obligations. The obligation of both impact assessment and documentation shall be carried out in the light of the principle of accountability. The principle of accountability leaves room for data controllers to implement measures that are appropriate for the processing of personal data, in order to be compliant with the Regulation. Data will be safeguarded appropriate while leaving room for innovation and quick business decisions. Rather than having a bureaucratic checklist, data controllers and data processors are able to set up internal processes which are appropriate and effective measures in order to ensure that they are compliant with the Regulation. Proportionate sanctions for non-compliance Under the Directive sanction levels were left for Member States to decide, something which has resulted in levels and methodology varying widely. In order to provide for a more consistent approach the Regulation needs to outlay more precise rules than what is currently stated in the Directive. In recital 9 of the Proposed Regulation it is stated that to ensure effective protection of personal data throughout the Union there is a need for equivalent powers for monitoring and ensuring compliance with the rules and equivalent sanctions for offenders. Tele2 supports this but would like to emphasize that a sanction regime must furthermore provide legal certainty and take into account the circumstances leading to the violation and consider the harm that has been caused to individuals as a result of the data breach. Article 78 of the Proposed Regulation states that Member States shall lay down rules on penalties for infringements and that the penalties provided must be effective, proportionate and dissuasive. Noncompliance under the Draft Regulation would in most serious breaches lead to fines of up to 2% of enterprises annual worldwide turnover. In cases of infringement Tele2 means that sanctions should be of a level that ensures compliance while being proportionate to the harm a breach has caused. Additionally the fact that a DPA is obliged to impose a fine for any intentional or negligent violation without first being able to issue warnings to companies shall be altered since this cannot be seen to fall within the principle of necessity. 12 For example a mandatory 2% fine for a breach relating to using personal data for direct marketing purposes which may have been caused by a negligent act by 11 Article 28 in the Proposed Regulation 12 There is now an exemption for companies with less than 250 employees. Tele2 believes that the exemption shall apply to all companies. 10

11 one employee cannot be seen as necessary or proportionate to the means that the Regulation wants to accomplish. The Commission has proposed exemptions for companies with less than 250 employees 13, in order to ensure that Small and Medium companies are given some leeway. Tele2 fully understands and agree that some companies shall not have to obey to the strict legal obligations of the Regulation. However the prerequisite shall not be based on number of employees but rather the type of data that they process. A small company with only a few employees can handle much more sensitive data and cause much larger privacy breaches than a large company barely dealing with any personal data at all for example a small application provider compared with a large construction company. Furthermore the current wording of Article 79 (1) is ambiguous - each supervisory authority shall Impose administrative sanctions. This can be interpreted as if a violation has had effect on individuals resided in more than one member state each DPA of those member states has the power to impose sanctions on the data controller. Since Tele2 believes this is not the intention of the Article Tele2 is of the opinion that this needs to be clarified. The current wording of Article 79 in the Proposed Regulation appears to draw on existing antitrust and merger legislation. 14 In competition legislation the reasoning behind the high level of fines is that companies will have an economic gain from violating competition law, while at the same time preventing end users from all the benefits of fair competition. The level of sanctions for e.g. cartels does therefore not only have the effect of eliminating the gain and profit of a cartel since companies who participate in cartels would have made financial calculations of these gains, but it also need to have a discouraging effect. 15 Many of the provisions which will lead to extensive fines under the Proposed Regulation would, even if the breach is carried out as an intentional act of the gravest kind and for a considerable duration, still not lead to any direct economic gain for the company or often not direct harm to the end users or the wider society. In a competition case leading to extensive fines a deliberate decision would be made in order to achieve some kind of gain. Hence the methodology and reasoning behind high level sanctions cannot be copied from competition legislation to the data protection Regulation. Tele2 proposes that when there is no direct harm to individuals, sanction levels should be based on metrics other than percentages of company global turnover. Data breach notification Tele2 is a supporter of the extension of the current e-privacy obligation of data breach notification to the general Data Protection legislation. An extension will not only promote data controllers, from all sectors, to ensure a high level of data security but will also build confidence among data subjects. However there is a need to ensure that the same rules apply irrespectively of what kind of services a data controller offers. This means that the requirements imposed by the Regulation and the e- 13 These exemption deals with the material scope (Art 2), documentation obligation (Art 28), obligation to have a privacy officer (Art 35 ) and Sanctions under Art 79. All these shall be reconsidered and the exemption shall rather be based on privacy risk and type of data which is being processed by the controller. 14 Article 23 of Regulation 1/2003and Article 14 of Regulation 139/ See the reasoning in Flat Glass IP/08/1685, 12 November 2008, a fine of approximately 1,4 billion. 11

12 privacy directive should be aligned by incorporation the rules from the e-privacy directive into the Regulation. This would help avoid inconsistency and would prevent dual notification obligation for the telecom sector. However there is need to ensure that the type of data breaches need to be notified are limited to only those which have serious and negative consequences on individuals. There is otherwise a risk that the obligation will lead to disproportionate burdens for data controllers and processors, there is also a risk that DPA s would not be able to handle the vast amount of notification they would receive. While limiting the scope the notification scheme would more likely be carried out correctly by all responsible parties. Furthermore the 24 hour requirement should be altered to be in alignment with the current wording of the e-privacy directive. This since it cannot be seen as practical or lead to better processes which would enhance data subject privacy protection. Finally End-user notification shall be limited to cases where there is a direct relationship with the data subject. International transfers Transfer of data to third countries has under the Directive been difficult, in cases where end user consent has not been provided. For many companies transferring data outside the EEA may provide economic gain, for example outsourcing customer care to a non-european country. The Proposed Regulation sets out clear and detailed rules for the usage of Binding Corporate Rules (BCR). The rules stated in Article 43 provides for a greater legal certainty and will likely lead to a greater usage of BCR. Tele2 is also supportive of the fact that BCRs can be applied for by a group of companies in EU i.e. one DPA will be able to adopt and approve a BCR for the whole EEA. This will lead to a great reduction of administrative burdens for the usage of BCRs. However, like the current BCR provision the proposed regime is not flexible enough in order to ensure that BCR can be easily used in practice. Tele2 therefore believes that the Proposed Regulation shall make it possible to use one approved BCR, without have to once more fulfill the process, if minor amendments and updates in regards to the processing happen after the approval of the BCR. 12