Leaked documents show new European data protection rules impacting the e-commerce sector


Leaked documents from the Council of the Ministers of the European Union have shown several changes in the proposal for the new European Data Protection regulation. Some of them directly touch the e-commerce sector, especially in the case of a dispute on data processing with consumers and for the new rules for tracking and profiling of consumers.

More complex one-stop-shop mechanism for online merchants

The one-stop-shop mechanism, which – in the case of the e-commerce sector – was supposed to simplify dispute resolutions between merchants and consumers on personal data processing, now resembles more to a “multi-stop-shop”. According to the leaked documents, the new text would add more levels of bureaucracy: in the case of a cross-border complaint, at least two data protection authorities would have to be involved and reach consensus to solve the case. Only in case of a conflict between authorities, then another one – the European Data Protection Board – would be brought in case.

Ecommerce Europe is concerned as the new text could result in a very long and burdensome procedure for online shops, and especially for smaller ones, in case of a dispute. Ecommerce Europe has been asking the European policy makers for a pan-European authority that has the power to settle cross-border disputes about data processing between businesses and consumers. This will ensure that data protection rules are interpreted throughout Europe in the same manner, and will provide legal certainty for online merchants when selling cross-border.

Unambiguous consent for tracking and profiling online consumers

The leaked documents suggest that internet browser settings could constitute consent for being tracked and profiled online. In practice, the new text would remove the Commission’s initial proposal for explicit consent of the consumer for being tracked and/or profiled. In practice, this would allow businesses to proceed with personal data processing activities on the basis of individuals’ unambiguous consent. Explicit consent from the consumer would generally be required where the processing involves more sensitive personal information.

Ecommerce Europe believes that the privacy impact of personal data processing depends by the context. A risk-based consent rule depending on the specific circumstances of the personal data collection – such as the one proposed in the leaked text – would be the most suitable approach. In essence, Ecommerce Europe favors the notion of unambiguous consent as a suitable instrument in order to foster competition in the European e-commerce sector.

Next steps

The Justice Ministers from the 28 European countries are supposed to give provisional support to the Data Protection regulation at their next meeting scheduled for 12 March. Only when the Justice Ministers have finalized their position on the new data protection framework, negotiations between the Council of Ministers and the European Parliament can be opened to determine the final legislation.

Ecommerce Europe remains in continuous dialogue with the policy makers to ensure the interests of the e-commerce sector remain to be taken into account in the process, and will update its members on any relevant developments

For the leaked Council documents, please click on the following links (source EDRi):