Skip to main content

Europe as digital champion - at what price?


Mark Scott might be right (Europe is fighting tech battle with one hand tied behind its back), European rules may not  create the best climate for all-encompassing digital powers. At first glance, there are also simple answers at hand:  do we want to tolerate a chinese-type surveillance state or adopt an american-type business-is-all-that-counts mindset to be digital champions? Can we, on the other hand, exclude Chinese (think Huawei) or U.S. (Google knows it all, Amazon sells it all, etc.) giants and be digital champions only for ourselves, playing by our own rules? The success of European rules also over Facebook and the like - enter Maximian Schrems - means that we enjoy what these companies developed on the back of the citizens of their countries but we are not able to conquer their lands.
To give a more balanced answer, we need to step one step back. Of course data are not the only force and not the only obstacle (see also on Politico), let us, however, look at them. Data is (or are, if you are less orthodox in language) the new oil, does it say. Power, however, is not in oil but in petrol and petrochemicals. Similarly, the key to real success is what you do with data. Researchers have found ways to link  profile and behavioural data without identifying the persons. One solution is proposed by Accenture, for example. This is more complicated and may be more costly, but can use data of persons in areas outside the U.S. and China, where the example of strict European data protection rules are being followed - South-America, Japan, other parts of Asia and Africa. This is a huge potential which we may lose if we just imitate and do not create our own models.

Comments

Popular posts from this blog

Transfer of Personal Data to Third Countries and International Organisations

Legal requirements The GDPR and Regulation (EU) 2018/1725 (the EUDPR) have changed somewhat the rules concerning transfer of personal data to jurisdictions which are not considered to provide adequate protection of personal data. On one hand the conditions are clearer, on the other hand, new types of safeguards have been introduced. It has to be noted, that there are two possible situations: transfer from a European Institution as controller to another controller and transfer to a processor. At the moment these cases are mostly treated together, although there are some differences. One safeguard which is common between the old and new rules is the use of standard contractual clauses approved by the European Commission (the only change is that the approval procedure has been set within the framework of Comitology, namely the investigation procedure) and the EDPS can also adopt contractual clauses but these also have to be approved by the Commission under the same procedure...

How to prepare for the new GDPR?

If you are completely complying with the "old" data protection rules, you do need have to do a lot about your existing operations processing personal data. Some of the rules were, however open to interpretation and thus some "cutting corners" has been made impossible, like implicit consent. The new "right to be forgotten" also applies immediately to all processing (if there is a request, of course) where the retention was defined too liberally. Different national rules which you followed may be too lenient or too stict so at least a review of what you do amd how you do it is indispensable. Documentation also has to be completed, the "privacy by design" and "privacy by default" concepts and the obligation for data protection impact assessment, however, applies only to newly starting or significantly changed processing. So what about consent? First of all, it has to be noted that - contrary to what you can read sometimes - it is n...

Why is there no article about transmission of data to EU controllers in the GDPR?

There is an article, number 9, in the data protection regulation for EU institutions (Regulation (EU) 2018/1725, called EUDPR). The transmission to other EU institutions or to another controller within the same institution is, however, only subject to recital 21. In the GDPR , even the recitals do not mention transmission of personal data to other European organisations. Of course, the use of processors is regulated in both acts, but not the transmission to another controller. It can be concluded that the transmission to entities under the same legislation is not covered while transmission from EU institutions to entities under a regulation which has a wider scope, is. The reason is clear: protection by the EUDPR is intended to be stricter. For example, EU institutions are not allowed to process data based on legitimate interest. Therefore transmission to another controller, who may process data based on legal bases unavailable for EU institutions, is restricted to cases where the sam...