European Justice Ministers take step forward in the right direction on data protection


Ecommerce Europe welcomes the progress made by the EU Justice Ministers in the long standing negotiations on the reform of European data protection rules, as it is largely in line with the suggestions the association has communicated towards the European policy makers in a letter last week. Ecommerce Europe has advised European Justice Ministers against deciding upon too heavy administrative burdens for web shops, especially SMEs. The risk-based approach the Ministers have adopted on Friday 10 October is thereby a good step in the right direction. 

Concerns about costs for SMEs have been heard
The Justice and Home Affairs Council reached an agreement on Chapter IV of the draft regulation which covers obligations for data processors, such as online merchants handling consumer data for purposes like bookkeeping and consumer warranty administration. Ecommerce Europe has voiced its concerns about an obligation for small and medium-sized web shops to designate a data protection officer, because the costs of this are incalculable and disproportionate to the actual impact and privacy risk of their processing of data. Following Ecommerce Europe’s recommendation, on Friday Justice Ministers confirmed that SMEs should be exempted from the obligation to assign a Data Protection Officer.

Risk-based approach to obligations for the online sector
Overall, Ecommerce Europe has asked the policy makers to take a risk-based approach and to base rules on obligations for data processors on the actual risk involved. The association was therefore pleased to learn there was consensus among the Justice Ministers that administrative burdens for the online sector should be limited so as to reach a good balance between protecting personal data and safeguarding the freedom of entrepreneurship. This results in an approach on which rules apply based on two levels of risk: A general level with lower obligations and a high level that would only apply to certain operations. Interim-Commissioner Reicherts has already stated the European Commission supports this approach, which only leaves the European Parliament to agree. Nevertheless, the exact definition of high-risk still needs to be debated in further negotiations.

Right to be forgotten: Only basis of Google-case ruling agreed upon
The Ministers also discussed the implications of the European Court of Justice’s landmark ruling on the right to be forgotten, based upon the ruling against Google in Spain. In its letter, Ecommerce Europe has indicated to the Justice Ministers that the right to be forgotten should be restricted to user-generated content, so that web shops can comply with other legal obligations concerning for example bookkeeping, taxes, and consumer warranty. During the discussions in the Justice and Home Affairs Council of 9 October the Justice Ministers have taken this and other considerations into account and have decided that the right to be forgotten should be decided upon a case-by-case basis. This means that the new regulation will only include the basic principles of the Google-case ruling and that judges will be able to take into account the other obligations web shops have.

Next steps
While the discussions on the data protection reform seem to be going in the right direction, there are still many steps to take before the new European data protection regulation will come into force. The Italian Presidency seems confident that it will be able to reach an agreement on the full text during the Council meeting of 14 December. After this agreement, the Council will have to enter in trialogue negotiations with the European Parliament and the European Commission to bring the three legislative proposals together in a regulation. Ecommerce Europe will remain in continuous dialogue with the policy makers to ensure the interests of the e-commerce sector are taken into account in the process.

Privacy & transparency in the e-commerce sector
For an overview of our ideas for the fair, safe and transparent use and collection of data please see our position paper onPrivacy & Transparency for Consumer Trust and Consumer Centrality (2014).