The General Data Protection Regulation is now a reality!


After a long legislative process lasting four years, Ecommerce Europe welcomes the adoption by the plenary of European Parliament of the new General Data Protection Regulation (GDPR), happened on 14 April 2016, approximately a week after the Council of the European Union adopted the text without amendments. The GDPR has been designed to bring the European data protection framework into the 21st century. The new Regulation will replace the outdated Data Protection Directive of 1995. The 1995 Directive was put in place during the infancy of the mass-consumption of the internet and has since become irrelevant and obsolete, according to the policy makers.

The new and updated Regulation is expected to support businesses operating within the European Union by providing a fully harmonized, single data protection regime across the Union. “The regulation will create clarity for businesses by establishing a single law across the EU. The new law creates confidence, legal certainty and fairer competition”, declared Mr. Jan Philipp Albrecht, the Member of the European Parliament (Greens, DE) rapporteur for the GDPR.

Key provisions of the GDPR

The new GDPR is an essential pillar of the Digital Single Market and is expected to strengthen citizens’ rights online while supporting online merchants through simplified and harmonized data protection rules. Key provisions imposed by the Regulation are:

• A right to be forgotten;
• “Clear and affirmative consent” to the processing of private data by the person concerned;
• The right to know when your data has been compromised;
• Ensuring that privacy policies are explained in clear and understandable language;
• Stronger enforcement and fines up to 4% of companies’ total global annual turnover.

‘Pros’ of the new Data Protection Regulation

Ecommerce Europe notices the milestones towards increasing consumer trust in the digital economy by strengthening privacy rights and data protection rights and acknowledges the beneficial effects these will have for the European e-commerce sector. Ecommerce Europe is pleased to see that the legislators officially adopted the principle of “unambiguous consent” for the processing of personal data. Throughout the negotiating stages, Ecommerce Europe had always argued that imposing a provision requiring “explicit consent” for processing non-sensitive personal data would have had a very negative effect on the e-commerce sector by increasing costs for online merchants for processing such data, and without giving any extra protections to consumers.

In addition, Ecommerce Europe is delighted to find other e-commerce specific provisions in the final text for which it had heavily lobbied throughout process. For instance, SMEs will be exempt from an obligation to appoint a Data Protection Officer (DPO) where data processing is not their core business activity. Also, the European e-commerce association welcomes the wording of the more limited definition of “personal data” and the wording of the principle of legitimate interest as a basis for lawful processing of personal data. Ecommerce Europe is also pleased to see that the right to be forgotten is no longer seen as an extra right separate from the right to erasure, but is incorporated into the latter.

‘Cons’ of the new Data Protection Regulation

Ecommerce Europe believes it is a missed opportunity that the fines regime remains excessive and has not been modified in the last legislative stages. According to the adopted text, national data protection supervisory authorities may impose fines of up to 4% of the annual global turnover of companies found to be in breach of the GDPR. In Ecommerce Europe’s view, 4% is an excessive rate, since it could effectively destroy a business. A rate limited to 2% maximum, and the maximum fine only applicable in the case of very severe and harmful infringements would have been preferable.

Next steps

The GDPR will enter into force 20 days after its publication in the EU Official Journal. Its provisions will be directly applicable in all Member States two years after this date.

In relation to data protection, the European Commission has recently launched a public consultation on the evaluation and review of the e-Privacy Directive, to which Ecommerce Europe will officially reply. To this purpose, Ecommerce Europe asks European policy makers to maintain an integrated approach in order to avoid double regulation, as some rules related to e-Privacy are already included in the General Data Protection Regulation, recently adopted.

Ecommerce Europe takes up its role in the revision process of the e-Privacy Directive, and will also work towards the creation of “guidelines” for interpretation of the GDPR, to ensure that the interests of the e-commerce sector will be taken into account.