While the General Data Protection Regulation (GDPR) is reaching its latest phase of negotiations in trialogues amongst European policy makers, some key issues remain still open. Ecommerce Europe strongly believes that the GDPR is an essential pillar of the Digital Single Market and therefore calls upon the European negotiators to ensure that the new European Data Protection framework will be fit for the future.
Final call on open issues: consent, data portability, notification of personal data breach
According to the latest text seen by Ecommerce Europe issued after the latest trialogue negotiations, consent (art. 6.1) still seems under discussion and no agreement has yet been reached. Therefore, Ecommerce Europe advocates once more for unambiguous consent for the processing of non-sensitive personal data. The European e-commerce association strongly believes that an obligation to obtain explicit consent from the consumer would have a very negative effect on the online sales market since it will increase costs for online merchants for processing non-sensitive personal data without giving any extra protection to consumers, and it will lead to a devaluation of the principle of consent. Ecommerce Europe calls upon the EU legislators for a risk-based and differentiated approach to consent for the processing of normal personal data – which should require only unambiguous consent – and for the processing of sensitive personal data – which should require explicit consent.
Since it seems that the provision on data portability has not yet been totally agreed, Ecommerce Europe stresses once more that even if it supports the right to data portability, such a right should not expose data controllers to unreasonable administrative burdens. Therefore, Ecommerce Europe maintains that the right to data portability should be restricted to when the consumer has a legitimate interest in portability, the data is technically fit to be transported in a commonly used and machine-readable format, the data does not reveal any sensitive business information and does not harm the privacy rights of other data subjects. Also, the online merchants/data controllers should have the possibility to charge reasonable costs for processing data portability in a commonly used format.
Finally, in the case of a personal data breach, Ecommerce Europe suggests that the risk of privacy impact on the data subject should be of a substantial extent before having to notify the personal data breach to the Data Protection Authority. This would avoid a burdensome obligation for online merchants to notify breaches with a low level or very limited risk for the privacy of the consumer .
Satisfactory provisions of the GDPR for the e-commerce sector
Ecommerce Europe is pleased to see that EU negotiators have also managed to find satisfactory agreements on many important provisions for the e-commerce sector. For instance, the European e-commerce association welcomes the latest wording of the more limited definition of “personal data” and the wording of the principle of legitimate interest as a basis for lawful processing of personal data. Ecommerce Europe is also pleased to see that theright to be forgotten isno longer seen as an extra right separate from the right to erasure, but is incorporated into the latter.
For a detailed overview of Ecommerce Europe’s recommendations on consumer policies, please click here to read the full position paper.