Increase transparency & control for user (personal) data Strenghten applicability of EU law - limit abuse of jurisdiction ( forum shopping )

Transcription

1 Privowny welcomes the opportunity to respond to the European Commission DG JUSTs consultation on the review of the data protection framework. Privowny is at the forefront of technology, introducing a new era in data protection and privacy, focusing on enabling user control of personal data (Personal Control & Identity Management - PCIM ). It is our belief that users should know what happens to their data and become more actively involved in determining the processing of their (personal) data. Privowny s innovations will deliver significant value to European consumers and contribute to improving the European competitiveness while increasing the level of protection without restricting the use of data, which is necessary to deliver tailor made products and services and spur innovation. Privowny is a strong advocate of transparency and control in the data protection arena - for users to be confident and manage their data accordingly, they need to know who holds their data and have full control over it. Privowny s solution will allow users to know with whom they shared which data and exercise control to a certain level where they will know who shared their data with whom. It will allow users e.g. to determine i) who should receive and keep their data ii) for what purpose iii) what timeframe iv) under which conditions and importantly v) enforce the agreed use of data Our company has an important stake in the modernisation of the rather antiquated DP framework, which requires significant revision to be made fit for the internet age, focused on user control and introducing actionable rights for individuals and companies. The review of the Data Protection should achieve: - regulation empowering users to fully control their data - introduction of new rules that allow market-driven solutions of data management (on behalf of users) In particular and in response to the consultation document, Privowny s contribution focuses on the following points: Data meshing deserves Commission action It is without any doubt that data meshing and combination of data from various sources create added value for the economy and result in improved offers for users. However, such meshing without user s knowledge of the processing and its underlying logical process and 1

2 conclusions or any meaningful control may result (and often does) in negative decisions and/or perceptions for users. Because he/she doesn t feel in control but understands that something is happening in the machine without his/her full knowledge, the user has no means to control. Also, in some cases, what a user has understood based on a privacy policy to which he/she agreed to, is far from the reality, as companies e.g. share (or sell) user s (personal) data. By the end of the day, it is less a problem of sharing and being tracked than being fully aware and in a position to control the data usage. Indeed, one area that deserves the Commission s attention is the combination of offline data with online data (common and daily practice), mostly without ANY knowledge of users. Data are shared and sold and it is impossible to keep track of this. A user might have agreed to the sharing of his/her data in many transactions (usually mandatory requirement in general terms and conditions) but as those agreements amount to tens or hundreds in the (short) lifespan of the internet, it is impossible for users to track sharing of data or logically understand the flow of data to various companies and players. Increase transparency & control for user (personal) data Privowny fully supports the introduction of a general principle of transparent processing of (personal) data. Transparency means allowing users to know who shared which data with whom and potentially have a right to stop further sharing. Privowny regards the action aiming at enhancing control over one's own data as the most important change to the current framework. That can only be successful if companies such as Privowny and/or associations can be mandated to act on behalf of its users (when users request). Current law allows for such mandates, but unless Privowny s users can mandate Privowny directly, with the means of the internet, it will be unlikely that users will enforce their rights if it becomes too burdensome (equivalence of means protecting should be as easy as sharing data). Any action should encourage PETs and (third parties) solutions that allow and increase transparency for users. That increase of control should be accompanied by provisions that allow users limiting contractually the period (personal) data are retained: while it will be impossible to enforce this at individual user level, Privowny will have the power to negotiate favourable terms and allow its users to accept sharing his/her data with another trusted company or not, fully at the discretion of the user. Strenghten applicability of EU law - limit abuse of jurisdiction ( forum shopping ) Privowny believes that companies targeting markets should be in compliance with local laws. For us, trust and confidence of our clients also includes compliance with local laws. We call upon the European Commission to ensure DP jurisdiction captures companies that undoubtedly target European markets / citizens within the EEA. The Commission might 2

3 consider introducing similar rules to those in tax law that provide legal instruments to capture structures set up to avoid jurisdiction (forum shopping). Personal data careful revision warranted Privowny believes that the rational for the three-tier classification of data (- personal data - sensitive data) is still valid and should be maintained. In this context, the Commission should consider criteria and methods that should and could be used to transform personal data through anonymization methods into downgraded data and allow companies to using those with fewer restrictions (i.e. classification as data ). Obviously, any new rules should ensure that anonymization cannot be reversed. Sensitive data It is incomprehensible, how trade union membership is regarded as sensitive data but the most important data are not: financial data. Privowny recommends to maintain the listapproach (which allows easier classification and practical handling by data controllers) but revise the covered categories. We believe that companies holding a vast amount of personal and sensitive data such as social networks should be particularly exposed to higher standards and, most importantly comply with European DP law. Strengthening Data Protection Authorities rights Privowny agrees with the Commission s proposal to strengthen Data Protection Authorities ( DPAs ) rights. The objective of harmonisation should allow DPAs to focus on enforcement rather than policy development or trying to fix the shortcomings in of the fragmentation and free up resources (in a cost effective manner as we currently still bear the burden of the crisis). Even more important is that DPAs are staffed with top IT experts and carry out audits on a regular basis to keep up pressure for compliance for companies and for the experts to remain on top of IT evolution. Privowny believes that the data protection framework focusing on storing of information on user s terminal equipment is skewed in its philosophy for modern DP: many modern technologies under the soon to be universally applied HTML 5 require local storage. Local storage should be seen as positive for users, allowing user control and allowing companies to provide solutions to deal with such storage (e.g. security software already today scan computers and delete third party cookies, temporary storage etc.). Limitation of local storage will potentially drive companies to store information about users in the backend 3

4 when technologies like fingerprinting become more reliable or IPv6 is widely applied and allows static IP addresses. Server-centric storage would make it more difficult to access information. As technology evolves and develops, there will be always new technologies supporting storage and processing of data, so the solution isn t to restrict specific technologies but to make sure that the user is informed and in control - whatever the technology used. The solution to that problem can only be provided by market-driven solutions as Privowny will offer: access to data irrespective where it is stored. That will be achieved through collaboration with those companies that store data (voluntarily or enforced on behalf of users) and should be supported by the revised framework. Awareness raising is of key importance It will be crucial for the Commission to find more creative ways of raising users awareness and support cooperation of consumer associations with the business community. While it might be that traditional online businesses don t agree on all issues, there might be individual areas, such as child protection, where awareness raising could be done jointly. Funding such opportunities and consumer associations educational campaigns will be crucial as awareness of data protection is eroding due to the actions of some social networks and other companies. Campaigns should focus on online media as this is where most potential risks lie. Empower DPAs to action at court Privowny supports the introduction of rights for DPAs to bring an action before the national courts. Another aspect would be the creation of specialised chambers at national courts and at the European Court of Justice. DPOs caution on red tape Privowny cautions the introduction of mandatory Data Protection Officers without conditions. SMEs will not be able to fund such roles and their impact on the market is limited. It should be noted that it is large companies that are in favour of such proposals as they already have DPOs. Should DPOs be made mandatory, we would suggest providing European funding for such posts. Otherwise Europe might impact the further uptake of European internet companies to the detriment of data protection (as the level of protection is lower outside the EEA). 4

5 Privacy impact assessment only for very limited and narrow areas beware of costs for SMEs Data protection impact assessment should be limited in scope to such cases that are highly sensible. However, the Commission should be aware that such measures will impact SMEs as they are extremely costly and burdensome. Privowny is concerned that while the Commission s intention is to cut red tape, the revision of the DP Directive will introduce new administrative burdens and will impact the competitiveness of Europe s SMEs. Finally, it should be kept in mind that it is the companies that strive for compliance that pay the burden, whereas non-compliant companies don t. Privowny appreciates the opportunity to provide its feedback and will be contacting the European Commission to discuss further Should you have any questions, please contact Hervé Le Jouan, President and CEO, Privowny: herve@privowny.com 5