25 May, 2018

3 good reasons to be happy with the GDPR (and 1 not to be)

By Cristina Vela and Paolo Grassia

GPDR… many appear to be frustrated at the wave of consent-seeking e-mails flooding the inbox these days, but we believe that there are at least 3 good reasons to be happy about the new General Data Protection Regulation (GPDR). There is also 1 reason to be unhappy about it, but let us explain more.

GDPR is lots of work, but also a global standard

European telecom operators have a long tradition in protecting the data and privacy of their customers. Consumer surveys consistently indicate that this is reflected in users’ trust, which is higher than trust in other communication service providers. While this is good, we cannot rest on our laurels and a lot of work has gone into preparing for a strong GDPR implementation across the industry. However, the GDPR is not a mere compliance exercise. The changes it will bring are much more profound as businesses are transforming the way they collect and use personal information. This is worth the effort, especially as the GDPR promises to become a global standard for all those providing services, especially digitally-enabled ones. Some believe that the GDPR will be the European Union’s “major export” worldwide in the coming years. This would be good news for all: no matter who the service provider is or where it is located, all companies have to comply to the same standard when offering services to European citizens. Some companies are already announcing that they will be GDPR-compliant on a global basis and not just for the EU. This will be good both for competitiveness, because all players will eventually need to apply the same rules, and especially for consumers, who will be clearer about their enhanced rights.

GDPR is about harmonisation and certainty – or at least it should be

Another good thing about the GDPR is that it will promote harmonisation across Member States. This is very important when it comes to ensuring consistent rights and obligations across the Single Market. It will make life easier for those who operate in various countries, but it will also ensure more clarity for all users.

However, the telecoms community is looking with great concern at two phenomena that could jeopardize this positive achievement.

On the one hand, most Data Protection Authorities (DPAs) have openly stated that they are not ready for the new rules. This clearly harms legal certainty and might expose certain businesses to future consequences, since many DPAs have been and still are unable to advise on the best implementation modalities.

On the other hand, most Member States are not ready and only a few of them have adopted their “specification” laws, causing yet more uncertainty as these national laws will need time to be adopted. In addition, national laws stemming from the GDPR might de-facto end up creating a parallel or additional regime. This may be the case when national laws  go beyond the delicate balance achieved in the EU Regulation. If they do, yet more additional uncertainty might be created and the Single Market risks being threatened by legislative fragmentation across various EU countries. It is of outmost importance that while benefitting from the flexibility left by GDPR in certain areas, Member States do not touch upon what is core in data protection legislation: the protection of personal data as a fundamental right and the promotion of the free flow of personal data in the Single Market. The same goes for the Guidelines that DPAs gathered in the Article 29 Data Protection Working Party have been elaborating over the last months. Both relevant national Laws and the Working Party’s guidelines should not depart from the spirit of GDPR.

GDPR is the outcome of a long, careful democratic debate

This leads us to the third reason why the GDPR is good: it was the result of a diverse and democratic debate, which included voices from civil society, business as well as experts and DPAs. It was also a tough and long one, but it achieved a balance that most stakeholders welcomed. Most importantly, while the GDPR will now be put to the test of application and reality, most agree it strikes a fair balance between fundamental rights and freedom to innovate for the benefit of European citizens and society as whole. These are all essential elements, especially from the viewpoint of EU values and in light of the Continent’s need for sustained growth. For this reason, our hope is that such a delicate balance is not altered by local debates, over-reaching guidelines or additional sector-specific laws.

The proposed ePrivacy Regulation: a counterproductive double regulatory regime

As in all fairy tales, there is always an obstacle to the happy ending. In the case of the GDPR, we believe, the obstacle might end up being the proposed ePrivacy Regulation. The ongoing review of the current ePrivacy Directive should respond to the need for a fair playing field among different actors providing communications services, but also to the need for alignment with the new GDPR.

The proposed Regulation extends the principle of confidentiality – not specifically included in GDPR – to all players who offer electronic communication services. And not only telcos. This is a positive step as consumers will be able to enjoy a consistent privacy experience, irrespective of technologies, infrastructure, business models and of who provides a given service. 

However, this cannot be an excuse to create a sort of double-regulation regime on top of the GDPR. Instead of building on the new GDPR, the proposed ePrivacy Regulation builds on the obsolete Directive and only allows the processing of communication data based on prior consent, or full anonymization. This with a very limited number of exceptions. This is by no means sufficient or future-proof. Just think of metadata: the GDPR already foresees strong protections and several grounds for processing personal data, beyond mere “consent” and depending on the context any another legal basis might be more adequate. Confidentiality of communications has always been a fundamental principle applied by the telecommunications industry and enshrined in national laws. It is not about questioning the principle of confidentiality, but about asking for broadening the legal grounds for processing metadata in line with the GDPR.

In this context, if the ePrivacy Regulation is not corrected, communication service providers might be forced to gather consent, unlike all the other players in the digital value chain.

This would disrupt the balance achieved by the GDPR, but it would also create problems of legal consistency and clarity. In addition, it would create an unfair playing field, forcing telco companies and other communication service providers to join the global digital competition with one hand tied behind their back. GDPR is good for consumers, but the ePrivacy’s attempt to increase protections could in fact result into less clarity and into a reduced ability to create better products for them. 

At ETNO, we believe that European telcos should be able to fully take part into the game and provide European citizens with digital services inspired by European values. In times of digital uncertainty, this would not only be crucial in economic terms, but it would also provide additional European choice for our citizens.

Cristina Vela is Chairwoman of ETNO’s Data Protection, Trust and Security Working Group. Paolo Grassia is ETNO’s Head of Regulation.