Data Protection Report - Norton Rose Fulbright

On January 10, 2017, the EU Commission published a package of documents on the EU’s data economy strategy, including e-privacy, data protection and the “European Data Economy.” The Commission documents,  published in the context of the Commission’s digital single market (“DSM”) initiative announced in May 2015, illustrate again the strong links between the EU’s digital regulatory strategy, data protection, intellectual property and antitrust policy, notably including the Commission’s preliminary report on its sector inquiry on e-commerce, also launched in May 2015.

The e-privacy and data protection documents include a proposal for a new regulation on privacy and electronic communications (the “E-Privacy Regulation”) and a communication on exchanging and protecting personal data in a globalized world (the “Data Transfer Communication”). The European data economy documents include  a Communication on Building a European Data Economy (the “Data Economy Communication”), accompanied by two consultations, one consultation on the European data economy (the “Data Economy Consultation”) and another on the EU directive on liability for defective products (the “Defective Product Consultation”).

The Commission’s proposals are wide-ranging and ambitious, including (for example) potential EU enforcement actions to invalidate national data localization requirements; a new EU legal framework to promote access to data, potentially including a requirement for companies to provide access to data generated on their own products and services through the Internet of Things (“IoT”); default contract rules that would invalidate data access and usage provisions in other contracts that are deemed unfair, including in a B2B context; and a mandatory portability right for non-personal data based on the EU portability right for personal data.

These initiatives are of critical importance for all companies doing business in the EU, not only technology companies. The Commission hopes that the E-Privacy Regulation will be adopted by May 2018, in time for the GDPR’s entry into force. The Commission’s consultations are open until April 26, 2017. The Commission sets out a number of specific actions it plans to take in 2017 and 2018, following the consultations.  In addition, the Commission plans to conduct bilateral discussions with individual stakeholders.

For more information on the Commission’s DSM strategy and e-commerce sector inquiry, see our summary of the initial announcement and updates from November 2015, December 2015, and August 2016.


E-Privacy and Data Transfers

E-Privacy Regulation

The proposed new E-Privacy Regulation is intended to ensure stronger privacy in electronic communications by updating current rules set out in the e-Privacy Directive (2002/58/EC), extending the rules to providers of services that run over the internet (referred to as “over-the-top” or “OTT” service providers), by introducing a broad definition of “electronic communication services.” As a result, the privacy rules in the E-Privacy Regulation will also apply to providers such as WhatsApp, Facebook Messenger, Skype, Gmail, iMessage, or Viber.

A number of provisions in the E-Privacy Regulation demonstrate the intended alignment with the EU General Data Protection Regulation (the “GDPR”), including the territorial scope provision. In addition, the penalty provisions in the E-Privacy Regulation closely align with the GDPR, including exposing organisations to fines up to 4% of worldwide annual turnover for certain breaches.

The E-Privacy Regulation would protect privacy for both content and metadata derived from electronic communications (e.g., time of a call and location). Both will need to be anonymised or deleted if users have not given their consent, unless the data is required for instance for billing purposes.  Once consent is given, traditional telecoms operators will have more opportunities to use data and provide additional services, such as heat maps indicating the presence of individuals to help public authorities and transport companies when developing new infrastructure projects.

The so-called “cookie provision” under the e-Privacy Directive, which has resulted in an overload of consent requests for internet users, would be streamlined to give users more control of their settings, providing an easy way to accept or refuse the tracking of cookies and other identifiers in case of privacy risks. The proposal clarifies that no consent is needed for non-privacy intrusive cookies improving internet experience (e.g., to remember shopping cart history). Cookies set by a visited website counting the number of visitors to that website will also no longer require consent.

The E-Privacy Regulation would ban unsolicited electronic communications to consumers by any means, including emails, SMS and phone calls, without users’ consent. However, marketers may continue to use electronic contact details they receive in the context of a sale of a product or service for direct marketing of similar products and services if customers are given an opportunity to opt-out of such use.  Moreover, Member States may elect to give consumers the right to object to voice-to-voice marketing calls on an opt-out basis, for example by registering their number on a do-not-call list.  In any case, marketing callers will need to display their phone number or use a special prefix that indicates a marketing call.

The E-Privacy Regulation would require software placed on the market permitting electronic communications to offer end users an option to prevent third parties from storing or processing information on terminal equipment. The E-Privacy Regulation further provides that, upon installation, the software must inform end-users about the privacy setting options and, to continue with the installation, require the end-user to consent to a particular setting. These provisions have been watered down compared to a draft of the regulation leaked in December 2016 that would have required all terminal equipment and software used to retrieve and present information on the internet to be configured with default options preventing third parties from storing information on, or using information about, a user’s device.

 Data Transfer Communication

The Data Transfer Communication sets out the Commission’s approach to international personal data transfers in light of the GDPR and the adoption of the EU-U.S. Privacy Shield, which replaced the Commisison’s “safe harbour” decision invalidated by the European Court of Justice in the 2015 Schrems decision.  The Commission will engage proactively in discussions with key trading partners in East and South-East Asia, starting with Japan and Korea in 2017, but also with interested countries of Latin America and the European Neighbourhood to enable the Commission to reach “adequacy decisions” to allow for the free flow of personal data to countries with “essentially equivalent” data protection rules to those in the EU.  In addition, the Commission will make use of alternative mechanisms provided by the GDPR to facilitate the exchange of personal data with other third countries with which adequacy decisions cannot be reached.


The Data Economy

The Data Economy Communication looks at four main areas: obstacles to the free movement of data; data access and transfer; liability; and portability, interoperability, and standards.

Obstacles to free movement of data

In relation to obstacles to free movement, the communication focuses on data localisation requirements increasingly being considered and adopted at the national level. While the GDPR bans restrictions on the free movement of personal data  in the EU for the protection of personal data, the GDPR does not apply to  restrictions for other reasons, and it does not apply to non-personal data, for instance non-personal machine-generated data.

In the Data Economy Consultation, the Commission seeks input on the extent, nature and impact of data localisation restrictions within the EU, what could constitute justified grounds for such restrictions, and to what extent businesses store or process data in multiple geographical locations within the EU. The Commission also seeks respondents’ views on the perceived impact that the removal of data localisation restrictions within the EU would have on their businesses.

The Commission notes that any current or new Member State data location restrictions need to be carefully justified under the principle of free movement of data within the EU to verify that they are necessary and proportionate to achieve an overriding objective of general interest, such as public security.  Taking account of the responses to the Data Economy Consultation, the Commission plans to discuss the justifications for and proportionality of data location measures with Member States and other stakeholders, and, where needed, to launch infringement proceedings challenging unjustified or disproportionate data location measures.

Data access and transfer

The Commission notes the increasing importance of data generated by machines or processes based on emerging technologies, such as the IoT, as a key component for new services, to improve products or production process and to support decision-making. The Commission believes that access to the raw data generated by these machines or processes is central to the emergence of a data economy, mentioning the transport, energy, smart living, and healthcare sectors in particular.  The Commission notes that enterprises in the data economy deal with both personal and non-personal data, and that data flows and datasets often contain both types. Any policy measure must take account of the legal framework on the protection of personal data.

In the Data Economy Consultation, the Commission seeks input on businesses’ trading practices in relation to non-personal data, perceived barriers to trading and re-use of such data and ways to enhance access to and re-use of data and data trading. More specifically, the Commission seeks input on whether and to what extent businesses have access to the data they need to develop or conduct their tasks and to assess the role of existing legislation on unfair contract terms and commercial practices.  The Commission also asks whether businesses consider possible denials of access to data to amount to abuses of dominant positions for antitrust purposes and whether current competition law enforcement mechanisms adequately address potentially anti-competitive behaviour of companies holding or using data.  The Commission also seeks input on the importance respondents’ attach to different policy objectives (e.g., promoting trading and sharing of machine generated data, versus protecting investments into data collection capabilities and confidential information) and what types of access to data respondents would agree to give public sector bodies, researchers, and commercial operators.  More generally, the Commission asks whether there is a need to revise or introduce legislation to support the European data economy.

Using the results of the Data Economy Consultation, the Commission intends to explore a possible future EU framework for data access, revolving around the most effective ways to improve access to anonymous machine-generated data and facilitate and incentivise data sharing.  More specifically, the Commission is considering a range of options, ranging from guidelines on non-personal data control rights; fostering technical solutions such as APIs, for example through best practice guidance; dveloping mandatory default contract rules and recommended standard contract terms; mandating data access without remuneration for public interest and scientific purposes; granting owners or lessees of devices generating data a right to use and authorise the use of non-personal data generated by the device; and creating a new legal framework, which may vary by sector, requiring data holders, such as manufacturers and service providers, to provide access to their data based on fair, reasonable and non-discriminatory (FRAND) terms.


The Data Economy Communication discusses liability issues that can arise in relation to products and services based on technologies such as the IoT, factories of the future and autonomous connected systems. It may be difficult to establish the exact source of a problem that leads to damages, raising the issues of how to ensure that these systems are safe, minimise damage and assign liability.

In the Data Economy Consultation, the Commission seeks input from producers and users of IoT technologies and autonomous systems on their level of awareness, experiences and issues related to liability for related products and services. The Defective Product Consultation further seeks input on these ideas and seeks to assess whether the Products Liability Directive is appropriate for emerging technologies such as IoT and autonomous connected systems.

Portability, interoperability and standards

 The Data Economy Communication addresses the issues of the portability of non-personal data, the interoperability of services to allow data exchange, and appropriate technical standards for implementing meaningful portability. While the GDPR gives individuals a portability right for personal data, there are no such requirements for non-personal data. Data portability considerations are closely related to data interoperability. In the case of online platforms, data interoperability facilitates not only switching, but also the concurrent use of several platforms (so-called “multi-homing”) as well as widespread cross-platform data exchange, which has the potential to enhance innovation. According to the Commission, effective portability policies must be supported by appropriate technical standards to ensure interoperability.

In the Data Economy Consultation, the Commission seeks to identify business situations where portability of non-personal data could unlock opportunities and/or eliminate blockages in the data economy and requests views on the possible effects of introducing portability rights for non-personal data regarding cloud services, data generated by machines, tools and/or devices  and/or data generated by online platforms.

Taking account of the responses to the Data Economy Consultation, the Commission is considering developing recommended contract terms to facilitate switching of service providers; developing further rights to data portability of non-personal data, building on the data portability right provided by the GDPR and the proposed rules on contract for the supply of digital content; and sector-specific experiments on standards to develop portability rules encoded through standards.


Our Take

In its European data strategy package, the Commission raises a plethora of interrelated issues cutting across multiple areas of law and policy, including ICT regulation, antitrust, intellectual property, consumer protection and data protection. If implemented, some of the Commission’s proposals — such as requiring companies collecting data on their own products and services to make those data available for free or on FRAND terms and to use standard APIs and take other steps to ensure interoperability and portability —  would be revolutionary and impact virtually all large companies doing business in the EU.

On the data protection front, the E-Privacy Regulation would expand current requirements to more service providers, imposes new requirements relating to privacy setting options in software and brings in more onerous requirements around how consent is obtained. It would also significantly increase the penalties for breach.  On the other hand, the E-Privacy Regulation is somewhat more business-friendly compared to a draft of the regulation leaked in December 2016 as regards “privacy by design” and extending marketing restrictions to corporate users.

Given the importance of the Commission’s data package and the controversial nature of some of the Commission’s proposals, it will be very important for industry, not just the ICT sector, to make their views known through the Commission’s consultations and anticipated stakeholder dialogues. Although the E-Privacy Regulation is not covered by the Commission’s consultations, there will no doubt be extensive opportunities for interested parties to communicate their views on this proposal to the European Parliament and Council.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.